Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/alantang888/vault_dead_lease_remover
This script is a interim solution for vault lease expiration issue. Will force revoke lease is expired more than 1 day (default).
https://github.com/alantang888/vault_dead_lease_remover
interim-solution vault
Last synced: about 1 month ago
JSON representation
This script is a interim solution for vault lease expiration issue. Will force revoke lease is expired more than 1 day (default).
- Host: GitHub
- URL: https://github.com/alantang888/vault_dead_lease_remover
- Owner: alantang888
- Created: 2019-02-01T10:55:23.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2019-02-04T01:10:13.000Z (almost 6 years ago)
- Last Synced: 2023-08-29T15:16:31.666Z (over 1 year ago)
- Topics: interim-solution, vault
- Language: Shell
- Size: 3.91 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Vault Dead Lease Remover
---
This script is a interim solution for [vault lease expiration issue]. Will force revoke lease is expired more than 1 day (default).It have some parameter can turn by environment variable:
- `KILL_SECOND`: Define how long time that lease expired will force revoke. (Default: 86400, which is 1 day)
- `VAULT_ENDPOINT`: Define where to connect vault. Need protocol and port. (Default: "https://127.0.0.1:8200")
- `DB_CRED_LEASE_PREFIX`: Define lease prefix. (Default: "database/creds", because I use it for DB secret engine lease)
- `X_VAULT_TOKEN`: Define vault token for calling vault API. (Default: `NOT DEFINED`.)
- `VAULT_ROLE`: Define role name for use K8S service account JWT login to vault. If not defined. Then it won't login to vault. Directly use vault token from `X_VAULT_TOKEN` (Default: `NOT DEFINED`.)## Policy in vault:
Below policiy to make it have enough permission to perform lookup and force-revoke.
Assumption:
- Only remove lease from DB secret engine. If you change `DB_CRED_LEASE_PREFIX`. You also need to change below path.
```hcl
path "sys/leases/revoke-force/database/creds/*" {
capabilities = ["update", "sudo"]
}
path "sys/leases/lookup/database/creds/*" {
capabilities = ["list", "update", "sudo"]
}
```## Example for deploy in K8S cronjob
Here is an example K8S YAML. to deploy K8S cronjob to run this script.
Assumption:
- The vault have a service called `vault` in `services` namespace.
- Vault already config policy and role for K8S service account `dead-lease-remover` in `services` namespace.
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dead-lease-remover
namespace: services
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
labels:
app: vault-dead-lease-remover
name: vault-dead-lease-remover
spec:
failedJobsHistoryLimit: 5
jobTemplate:
spec:
template:
metadata:
labels:
app: vault-dead-lease-remover
spec:
containers:
- name: dead-lease-remover
image: alantang888/vault_dead_lease_remover:0.2
imagePullPolicy: Always
env:
- name: VAULT_ROLE
value: dead-lease-remover
- name: VAULT_ENDPOINT
value: https://vault.services:8200
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
restartPolicy: Never
serviceAccountName: dead-lease-remover
schedule: 5 22 * * *
successfulJobsHistoryLimit: 3
suspend: false
```[vault lease expiration issue]: https://github.com/hashicorp/vault/issues/6058