Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add postStart lifecycle hook #315

Merged
merged 2 commits into from
May 28, 2020
Merged

Add postStart lifecycle hook #315

merged 2 commits into from
May 28, 2020

Conversation

jasonodonnell
Copy link
Contributor

@jasonodonnell jasonodonnell commented May 28, 2020
edited
Loading

This adds a configurable postStart lifecycle hook to Vault Helm. Using this hook, in conjunction with readiness probe configurations, it's possible to run scripts on the Vault pods after they start. This would allow users to create custom scripts to do things like initialize Vault and bootstrap auth methods/policies.

server:
  # Mount a secret containing some custom script
  extraVolumes:
  - type: secret
    name: demo-vault

  # Configure readiness probe to report "ready" even if Vault is uninitialized and sealed.
  # Useful when bootstrapping Vault for the first time.
  readinessProbe:
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"

  postStart:
  - "/bin/sh"
  - "-c"
  - "/vault/userconfig/demo-vault/bootstrap.sh"

These can also be configured via --set:

helm install vault \
  --set='server.postStart={/bin/sh,-c,/vault/userconfig/demo-vault/bootstrap.sh}' \
  .

@jasonodonnell jasonodonnell added this to the v0.6.0 milestone May 28, 2020
@jasonodonnell jasonodonnell requested a review from tvoran May 28, 2020 17:11
tvoran
tvoran reviewed May 28, 2020
View reviewed changes
values.yaml Outdated Show resolved Hide resolved
@jasonodonnell @tvoran
Update values.yaml
ae80cfc 
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
@jasonodonnell jasonodonnell merged commit 4215316 into master May 28, 2020
@jasonodonnell jasonodonnell deleted the poststart branch May 28, 2020 18:53
@davidcunningham
Copy link

This is a great feature, will more documentation be provided? For example, I have a ConfigMap that creates a script to set a bunch of default auth policies. The script is written to userconfig properly using extraVolumes, but the permissions are set to root so the postStart can not execute the script as permission is denied. Any additional examples would be awesome!

@jasonodonnell
Copy link
Contributor Author

Hi @davidcunningham,

Something like this should work for you (it's a little ugly):

server:
  extraVolumes:
  - type: secret
    name: demo-vault
  readinessProbe:
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"

  postStart:
  - "/bin/sh"
  - "-c"
  - "sleep 5 && cp /vault/userconfig/demo-vault/bootstrap.sh /tmp/bootstrap.sh && chmod +x /tmp/bootstrap.sh && /tmp/bootstrap.sh"

We need to add a feature that will allow users to set the mode for the files being mounted. That should make this nicer.

@jasonodonnell jasonodonnell mentioned this pull request May 29, 2020
Closed
@davidcunningham
Copy link

Thanks @jasonodonnell. It's a prettier solution then having a bunch of commands in the postStart!

radudd pushed a commit to radudd/vault-helm that referenced this pull request Jun 5, 2020
@jasonodonnell @tvoran
Add postStart lifecycle hook (hashicorp#315)
79c84ba 
* Add postStart lifecycle hook

* Update values.yaml

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
@jasonodonnell jasonodonnell mentioned this pull request Jun 9, 2020
Closed
@jasonodonnell jasonodonnell mentioned this pull request Jul 21, 2020
Closed
@angeloskaltsikis
Copy link

Hey @jasonodonnell , thanks for your great work on this feature.
Currently, we are introducing Vault & also we want to use Vault Terraform Provider to configure some of the required Vault configurations.
To avoid storing plain credentials (or even encrypted ones) in our IaC we decided to utilize AWS Auth method for Vault which fits perfectly for our case and verified that that's true.
While we would like to auto initialize the AWS Auth method with the proper configuration when we install Vault and avoid any need for manual human interaction, we are a bit concerned that introducing something like this has some security implications (storing the root token in a plaintext file in Vault container).

  • Do you think that we are right to be worried about production deployment?
  • Can you think or have you found any better alternative?
    Thanks in advance 🙏🏽

@bakunowski bakunowski mentioned this pull request Nov 22, 2021
Closed
@dhduvall dhduvall mentioned this pull request Apr 25, 2022
Open
@andreapigatto
Copy link

andreapigatto commented May 24, 2024
edited
Loading

@jasonodonnell I'm trying to find a way to run a script for enable transit for auto-unseal. postStart seems good candidate but in HA I would need ONLY one node to actually run the script and enable transit. Is there a way to do it with postStart it or is there a better approach? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvoran tvoran tvoran approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.6.0
Development

Successfully merging this pull request may close these issues.
5 participants
@jasonodonnell @davidcunningham @angeloskaltsikis @andreapigatto @tvoran