opennix/vault-autounseal

Sponsored OSS

By OpenNix Security

Updated almost 2 years ago

HashiCorp Vault auto unseal

Image
0

100K+

opennix/vault-autounseal repository overview

vault-auto-unseal

Disclaimer

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

What for

As you know, Vault provides several mechanisms for auto unsealing. However, sometimes I couldn't use AWS or GCP as the cloud provider. The main idea was to use Kubernetes secrets as the source for auto unsealing.

Tested on

EngineVersionVault mode
kindv1.29.1single/ha
crc2.32.0+54a6f9single
OpenShift4.14.8single/ha
Kubernetesv1.29.1single/ha

Dependencies

  • Kubernetes
  • Python > 3.7

How to use

Checkout source code from the repository

Install dependencies via pip: pip install -r requirements.txt

Setup system environment

Run script python app.py

System environments

NameDescription
VAULT_URLVault server url with port e.g http://127.0.0.1:8200
VAULT_SECRET_SHARESSpecifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares
VAULT_SECRET_THRESHOLDSpecifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares.
NAMESPACEKubernetes namespace for storing vault root key and keys
VAULT_ROOT_TOKEN_SECRETKubernetes secret name for root token
VAULT_KEYS_SECRETKubernetes secret name for vault key

Deployment

The solution can be run as docker container or inside Kubernetes

Building docker container

docker build . -t vault-autounseal:latest

or build multiarch docker image:

make docker

or You can pull existing image from DockerHub

docker pull opennix/vault-autounseal
Using helm chart

Helm must be installed to use the charts. Please refer to Helm's documentation to get started.

Once Helm has been set up correctly, add the repo as follows:

helm repo add vault-autounseal https://pytoshka.github.io/vault-autounseal

If you had already added this repo earlier, run helm repo update to retrieve the latest versions of the packages. You can then run helm search repo vault-autounseal to see the charts.

To install the vault-autounseal chart:

helm install vault-autounseal vault-autounseal/vault-autounseal --set=settings.vault_url=http://vault.vault:8200

To uninstall the chart:

helm delete vault-autounseal

Buy Me A Coffee

Tag summary

Content type

Image

Digest

sha256:af6a7e6f9

Size

29.2 MB

Last updated

almost 2 years ago

docker pull opennix/vault-autounseal:main

This week's pulls

Pulls:

158

Last week