https://github.com/devops-rob/vault-unsealer

An auto-unseal tool for HashiCorp Vault
https://github.com/devops-rob/vault-unsealer

Last synced: 10 months ago
JSON representation

An auto-unseal tool for HashiCorp Vault

• Host: GitHub
• URL: https://github.com/devops-rob/vault-unsealer
• Owner: devops-rob
• Created: 2024-04-05T11:07:40.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-04-05T11:48:41.000Z (almost 2 years ago)
• Last Synced: 2024-04-05T12:38:47.886Z (almost 2 years ago)
• Language: Go
• Size: 9.77 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Vaulter Unsealer

A tool to implement auto-unsealing of HashiCorp Vault nodes. 

_**NOTE: This is designed as a workflow Proof of Concept. Production use of Vault Unsealer is discouraged at present.**_

# Configuration

Vault Unsealer takes a `.json` configuration file with the following configuration parameters:

- `log_level` _(type: string, required: false)_ - This sets the servers log level output. Supported values are `trace`, `debug`, `info`, `warn`, and `err`. The default log level is `info`.

- `probe_interval` _(type: int, required: true)_ - This specifies the frequency of the Vault seal status probe check in seconds.

- `nodes` _(type: []string, required: true)_ - This is a list of Vault server nodes that Vault Unsealer will manage the seal status of.

- `unseal_keys` _(type: []string, required: true)_ - A list of Vault unseal keys that can be used to unseal Vault. The number of keys in this list should be equal to or greater than the unseal threshold required for your Vault cluster.

**Example Configuration**

```json

{

  "log_level": "debug",

  "probe_interval": 10,

  "nodes": [

    "http://192.168.1.141:8200",

    "http://192.168.1.142:8200",

    "http://192.168.1.143:8200"

  ],

  "unseal_keys": [

    "aa109356340az6f2916894c2e538f7450412056cea4c45b3dd4ae1f9c840befc1a",

    "4948bcfe36834c8e6861f8144672cb804610967c7afb0588cfd03217b4354a8c35",

    "7b5802f21b19s522444e2723a31cb07d5a3de60fbc37d21f918f998018b6e7ce8b"

  ]

}

```

# Usage

### Docker

```shell

docker run -v $(pwd)/example.json:/app/config.json \

  devopsrob/vault-unsealer:0.1 /app/vault-unsealer

```

### Nomad (Docker Job)

This example stores the unseal keys in encrypted Nomad variables and uses Nomad templating to render the config file.

```hcl

job "vault-unsealer" {

  namespace   = "vault-cluster"

  datacenters = ["dc1"]

  type        = "service"

  node_pool   = "vault-servers"

  group "vault-unsealer" {

    count = 1

    constraint {

      attribute = "${node.class}"

      value     = "vault-servers"

    }

    task "vault-unsealer" {

      driver = "docker"

      config {

        image      = "devopsrob/vault-unsealer:0.2"

        command = "./vault-unsealer"

        volumes = [

          "local/config:/app/config"

        ]

      }

      template {

        data = <