vault-autounseal-operator

Vault operator for managing vault clusters running in Kubernetes. Operator handles:

• automated initialization of new clusters
• automated unsealing of pods in a clusters
• upgrading statefulset pods in graceful manner
• rotating vault pods if TLS certificate is updated

Operator assumes vault is deployed using official Hashicorp Vault helm chart.

Installation

Prerequisites

Vault installed in the cluster. Important parts of the configuration:

• if using ha mode with raft storage retry_join block is configured for auto joining the cluster. .server.standalone is set to false then.

Example configuration (for kind cluster) can be found in manifests/vault-values.yml

Installation using helm

First add helm repository:

helm repo add vault-autounseal-operator https://camaeel.github.io/vault-autounseal-operator
helm repo update

Install:

helm upgrade --install vault-autounseal-operator vault-autounseal-operator/vault-autounseal-operator 

Algorithm:

1. build vault client
2. get pod seal & init status - https://localhost:8200/v1/sys/seal-status
3. if !initialized
   1. check if init secret is not there
   2. sync (create lease or lock)
   3. call sys/initialize
   4. create secret - unseal keys
   5. create secret - root token
4. if sealed
   1. get secret - unseal keys
   2. call sys/unseal

Development

Setting local environment

Create kind cluster (or use any other cluster).

It is easiest to use Makefile run make kind or alternatively

kind create cluster \
  --wait 120s \
  --config manifests/kind-config.yaml

Install preprequisites & vault

Either use attached Makefile: make kind_install

Or do it manually:

1. Add repositories:

   helm repo add cert-manager https://charts.jetstack.io
   helm repo add kong https://charts.konghq.com
   helm repo add hashicorp https://helm.releases.hashicorp.com/
   helm repo update

2. Install cert-manager:

   helm upgrade --install cert-manager cert-manager/cert-manager \
     --namespace cert-manager \
     --create-namespace \
     --set installCRDs=true \
     --wait

3. Install kong ingress controller:

helm upgrade --install kong kong/kong \
  --namespace kong --create-namespace \
  --values manifests/kong-values.yml \
  --wait

4. Install vault:

kubectl create namespace vault || echo 0
kubectl apply -f manifests/certs.yml
helm upgrade --install --namespace vault \
  vault hashicorp/vault \
  --values manifests/vault-values.yml \
  --wait

Install vault-autounseal:

Either with makefile: make helm_install or use:

helm upgrade --install vault-autounseal-operator charts/vault-autounseal-operator -n vault