Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add more config variables for transit-unsealing and raft-joining #311

Closed
wants to merge 1 commit into from
Closed

Add more config variables for transit-unsealing and raft-joining #311

wants to merge 1 commit into from

Conversation

gw0
Copy link
Contributor

@gw0 gw0 commented May 20, 2020

Currently, the Vault configuration (/tmp/storageconfig.hcl) only provides HOST_IP and POD_IP as variables that get replaced. Additionally, the used sed commands are not well written and can not support entering URLs (or anything that contains a /).

This two variables are not enough to set up Vault correctly in all scenarios (in HA you need API_ADDR). For unsealing with Vault Transit (docs) you also need to configure the address of another Vault server (eg. TRANSIT_ADDR). And to set up Raft backend (docs) as easy as possible it is beneficial, that all nodes attempt to automatically join the cluster (eg. RAFT_ADDR). With this PR these can all be set as environment variables under extraEnvironmentVars: and this enables you to utilize variables in Helmfile (or other wrappers on top of Helm).

Anyway, I have been successfully using and redeploying Vault with transit-unsealing and raft-joining for a couple of months now with this PR and such a configuration:

      config: |
        ui = true
        api_addr = "API_ADDR"
        cluster_addr = "https://POD_IP:8201"
        listener "tcp" {
          address         = "[::]:8200"
          cluster_address = "[::]:8201"
        }
        storage "raft" {
          path = "/vault/data"
        }
        seal "transit" {
          address         = "TRANSIT_ADDR"
          disable_renewal = "false"
          key_name        = "unseal_key"
          mount_path      = "transit/"
        }

@jasonodonnell
Copy link
Contributor

Thanks for the contribution @gw0!

We'd like to merge these transit values, however, the auto-join code needs to be removed. There's a feature coming to Vault in the near future that will allow auto-join which we plan to utilize in this project.

@gw0 gw0 force-pushed the add-more-config-variables branch 2 times, most recently from 66414ca to b4cf48f Compare October 8, 2020 10:04
@gw0 gw0 mentioned this pull request Oct 8, 2020
Merged
@gw0
Copy link
Contributor Author

gw0 commented Oct 8, 2020

I am closing this PR in favor of #398 that contains only the improved handling of environment variables and adds the TRANSIT_ADDR env variable. The option of running extra commands was in the meantime super-seeded with the postStart lifecycle hook and the vault.command macro.

@gw0 gw0 closed this Oct 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gw0 @jasonodonnell