Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More options to configure unsealConfig for transit-unseal #221

Closed
2 tasks done
Ais8Ooz8 opened this issue Sep 30, 2023 · 3 comments
Closed
2 tasks done

More options to configure unsealConfig for transit-unseal #221

Ais8Ooz8 opened this issue Sep 30, 2023 · 3 comments
Labels
kind/enhancement Categorizes issue or PR as related to an improvement. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.

Comments

@Ais8Ooz8
Copy link

Ais8Ooz8 commented Sep 30, 2023
edited
Loading

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I agree to follow the Code of Conduct.

Problem Description

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

While there is an explicit way for the kv-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-vault-kv-unseal.yaml

  # Describe where you would like to store the Vault unseal keys and root token
  # in seperate remote Vault instance.
  unsealConfig:
    vault:
      address: https://vault:8200 # Remote Address for Vault
      unsealKeysPath: secret/data/vault-keys
      role: default
      authPath: kubernetes

We see not very transparent recommendations on how to stop using Kubernetes Secrets — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-transit-unseal.yaml

  # Even if unsealing will be done via the Transit Auto-Unseal flow the root token
  # and recovery keys will be stored in Kubernetes Secrets if not defined otherwise,
  # not highly secure, but this is just an example, in production please use one of
  # the KMS based options.
  # unsealConfig:
  # ...

Proposed Solution

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

Alternatives Considered

No response

Additional Information

No response
@Ais8Ooz8 Ais8Ooz8 added the kind/enhancement Categorizes issue or PR as related to an improvement. label Sep 30, 2023
@DrummyFloyd
Copy link

will it be in the roadmap ?
or you're still looking at some information with Hashicorp new's licence ?

@akijakya
Copy link
Member

Hi @Ais8Ooz8, thanks for considering Bank-Vaults, also sorry for the late reply!

You can specify a different place to store the root token and recovery keys for any Vault custom resource, in the vault-kv-unseal example it is another Vault instance, the default is a Kubernetes secret, but you can (should) use another Vault, Azure, AWS, etc:

vault-operator/deploy/crd/bases/vault.banzaicloud.com_vaults.yaml

Line 1068 in b27d76f

unsealConfig:

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 4, 2024
@ramizpolic ramizpolic removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 5, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 7, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 28, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 28, 2024
@csatib02 csatib02 reopened this Apr 28, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jun 30, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 30, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 30, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 30, 2024
@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jul 7, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Sep 8, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Sep 8, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Sep 8, 2024
@csatib02
Copy link
Member

csatib02 commented Sep 8, 2024

Answered by: #221 (comment)

@csatib02 csatib02 closed this as completed Sep 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Categorizes issue or PR as related to an improvement. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.
Projects
Project backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DrummyFloyd @ramizpolic @akijakya @Ais8Ooz8 @csatib02