Table of Contents
This kubernetes operator allows you to automate unseal process of your HashiCorp Vault clusters or instances with a sample file and secret.
You need to have :
- An operationnal Kubernetes cluster
- HashiCorp Vault cluster or instance
- kubectl binary
- Deploy the latest operator release via the 'bundle' file :
kubectl apply -f https://raw.githubusercontent.com/aamoyel/vault-unsealer-operator/main/deploy/bundle.yml
- First you need to create your secret with your threshold unseal keys. You can find an example at this link . Here you can find an example:
Apply this file with
apiVersion: v1 kind: Secret metadata: name: thresholdkeys type: Opaque stringData: key1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx key2: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
kubectl - (Optionnal) If you have your own PKI and CA certificate, you can create a secret (example file here) like that:
Apply this file with
apiVersion: v1 kind: Secret metadata: name: cacertificate type: Opaque stringData: ca.crt: | -----BEGIN CERTIFICATE----- ..................................... -----END CERTIFICATE-----
kubectl - Now you can create your config file and custom fields:
Apply this file with
apiVersion: unsealer.amoyel.fr/v1alpha1 kind: Unseal metadata: name: unseal-sample spec: vaultNodes: - https://vault-cluster-node-url-1:8200 - https://vault-cluster-node-url-2:8200 - https://vault-cluster-node-url-3:8200 thresholdKeysSecret: thresholdkeys # Optional, but important if you have internal pki for your vault certificate. Secret need to be in the same namespace as this resource caCertSecret: cacertificate # Optional, set this parameter to true if you want to skip tls certificate verification tlsSkipVerify: false # Optional retryCount: 3
kubectl
You can create issues on this project if you have any problems or suggestions.
Distributed under the Apache-2.0 license. See LICENSE.txt for more information.
Alan Amoyel - @AlanAmoyel
Project Link: https://github.com/aamoyel/vault-unsealer-operator