vault-unsealer-operator

About The Project

Purpose

This kubernetes operator allows you to automate unseal process of your HashiCorp Vault clusters or instances with a sample file and secret.

Built With

• Kubebuilder

Getting Started

Prerequisites

You need to have :

• An operationnal Kubernetes cluster
• HashiCorp Vault cluster or instance
• kubectl binary

Installation

1. Deploy the latest operator release via the ‘bundle’ file :

   kubectl apply -f https://raw.githubusercontent.com/aamoyel/vault-unsealer-operator/main/deploy/bundle.yml

Usage

1. First you need to create your secret with your threshold unseal keys. You can find an example at this link . Here you can find an example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: thresholdkeys
    type: Opaque
    stringData:
      key1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      key2: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

   Apply this file with kubectl

2. (Optionnal) If you have your own PKI and CA certificate, you can create a secret (example file here) like that:

    apiVersion: v1
    kind: Secret
    metadata:
      name: cacertificate
    type: Opaque
    stringData:
      ca.crt: |
        -----BEGIN CERTIFICATE-----
        .....................................
        -----END CERTIFICATE-----

   Apply this file with kubectl

3. Now you can create your config file and custom fields:

    apiVersion: unsealer.amoyel.fr/v1alpha1
    kind: Unseal
    metadata:
      name: unseal-sample
    spec:
      vaultNodes:
        - https://vault-cluster-node-url-1:8200
        - https://vault-cluster-node-url-2:8200
        - https://vault-cluster-node-url-3:8200
      thresholdKeysSecret: thresholdkeys
      # Optional, but important if you have internal pki for your vault certificate. Secret need to be in the same namespace as this resource
      caCertSecret: cacertificate
      # Optional, set this parameter to true if you want to skip tls certificate verification
      tlsSkipVerify: false
      # Optional
      retryCount: 3

   Apply this file with kubectl

Contribute

You can create issues on this project if you have any problems or suggestions.

License

Distributed under the Apache-2.0 license. See LICENSE.txt for more information.

Contact

Alan Amoyel – @AlanAmoyel

Project Link: https://github.com/aamoyel/vault-unsealer-operator

GitHub

View Github