This Go Tool can be used to initialize Vault. It can perform the following steps:
-
Vault initilazation
-
Save Root Token and Unseal Keys to K8s Secret
-
Vault unseal
-
Enable Kubernetes authentication
In this version, the Vault token and unseal Keys can only be saved to a Kubernetes secret. This is insecure and this deployment is ONLY SUITED FOR DEVELOPMENT ENVIRONMENTS. However, this tool can be extended to save Vault token and unseal Keys to a different secret engine (Azure Key Vault, AWS KMS, another Vault instance).
The container image is hosted at quay.io in the following repo: quay.io/radudd/vault-bootstrap
To install Vault Bootstrap to OpenShift or Kubernetes, deploy the following Job:
cat <<EOF | oc apply -f
kind: Job
apiVersion: batch/v1
metadata:
name: vault-init
spec:
template:
metadata:
name: vault-init
job-name: vault-init
spec:
containers:
- name: vault-init
image: quay.io/radudd/vault-bootstrap
command:
- /app/vault-bootstrap
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: 'https://vault.hashicorp-vault.svc:8200'
- name: VAULT_CLUSTER_MEMBERS
value: >-
https://vault-0.vault-internal:8200,https://vault-1.vault-internal:8200,https://vault-2.vault-internal:8200
- name: VAULT_KEY_SHARES
value: '5'
- name: VAULT_KEY_THRESHOLD
value: '3'
- name: VAULT_ENABLE_INIT
value: 'true'
- name: VAULT_ENABLE_K8SSECRET
value: 'true'
- name: VAULT_ENABLE_UNSEAL
value: 'true'
- name: VAULT_ENABLE_K8SAUTH
value: 'true'
imagePullPolicy: Always
serviceAccountName: vault
serviceAccount: vault
EOF
If you are choosing to save the root token and unseal keys into a Kubernetes secret, you can re-run the init job for unsealing any of the pods (in case in gets rescheduled). To do this, run the following command
oc get job vault-init -o json | jq 'del(.spec.selector)' | jq 'del(.spec.template.metadata.labels)' | oc replace --force -f -
This tool can be run in init-container
mode, which can be used if we want to perform auto-unsealing from K8s secret.
In this mode, the initContainer will spawn up a vault-bootstrap
job configured to perform only unsealing only for the podis attached to.
To perform this scenario, add the following definition to the Vault StatefulSet definition
initContainers:
- name: vault-unsealer
image: 'quay.io/radudd/vault-bootstrap:init-container-unsealer'
command:
- /app/vault-bootstrap
args:
- '--mode'
- init-container
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: Always
env:
- name: VAULT_JOB_IMAGE
value: quay.io/radudd/vault-bootstrap:latest
- name: VAULT_KEY_SHARES
value: '1'
- name: VAULT_KEY_THRESHOLD
value: '1'
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
The configurations are specified as Environment variables. Below the supported ones.
Environment Variable | Default value | Info |
---|---|---|
VAULT_ADDR |
Vault address |
|
VAULT_CLUSTER_MEMBERS |
Vault cluster members as URLs specified in a comma separated list |
|
VAULT_KEY_SHARES |
1 |
Key Shares generated by initialization |
VAULT_KEY_THRESHOLD |
1 |
Key Threshold generated by initialization |
VAULT_SERVICE_ACCOUNT |
vault |
Service account which runs Vault pods. Required for enabling K8s authentication |
VAULT_ENABLE_INIT |
true |
Enable Vault initialization |
VAULT_ENABLE_K8SSSECRET |
true |
Enable saving Vault root token and share keys into a K8s secret called "vault" |
VAULT_ENABLE_UNSEAL |
true |
Enable Vault unseal |
VAULT_ENABLE_K8SAUTH |
true |
Enable Kubernetes authentication for Vault |
|VAULT_JOB_IMAGE
|N/A
|Relevant only for init-container
mode. If set, deploy the vault-bootstrap
job from this image.