sethvargo / vault-init Goto Github PK

Automate the initialization and unsealing of @HashiCorp Vault on @GoogleCloudPlatform

License: Apache License 2.0

Go 95.47% Dockerfile 4.53%

vault-init's Introduction

vault-init

The vault-init service automates the process of initializing and unsealing HashiCorp Vault instances running on Google Cloud Platform.

After vault-init initializes a Vault server it stores master keys and root tokens, encrypted using Google Cloud KMS, to a user defined Google Cloud Storage bucket.

Usage

The vault-init service is designed to be run alongside a Vault server and communicate over local host.

You can download the code and compile the binary with Go. Alternatively, a Docker container is available via the Docker Hub:

$ docker pull sethvargo/vault-init

To use this as part of a Kubernetes Vault Deployment:

containers:
- name: vault-init
  image: registry.hub.docker.com/sethvargo/vault-init:0.1.2
  imagePullPolicy: Always
  env:
  - name: GCS_BUCKET_NAME
    value: my-gcs-bucket
  - name: KMS_KEY_ID
    value: projects/my-project/locations/my-location/cryptoKeys/my-key

Configuration

The vault-init service supports the following environment variables for configuration:

CHECK_INTERVAL ("10s") - The time duration between Vault health checks. Set this to a negative number to unseal once and exit.
GCS_BUCKET_NAME - The Google Cloud Storage Bucket where the Vault master key and root token is stored.
KMS_KEY_ID - The Google Cloud KMS key ID used to encrypt and decrypt the vault master key and root token.
VAULT_SECRET_SHARES (5) - The number of human shares to create.
VAULT_SECRET_THRESHOLD (3) - The number of human shares required to unseal.
VAULT_AUTO_UNSEAL (true) - Use Vault 1.0 native auto-unsealing directly. You must set the seal configuration in Vault's configuration.
VAULT_STORED_SHARES (1) - Number of shares to store on KMS. Only applies to Vault 1.0 native auto-unseal.
VAULT_RECOVERY_SHARES (1) - Number of recovery shares to generate. Only applies to Vault 1.0 native auto-unseal.
VAULT_RECOVERY_THRESHOLD (1) - Number of recovery shares needed to trigger an auto-unseal. Only applies to Vault 1.0 native auto-unseal.
VAULT_SKIP_VERIFY (false) - Disable TLS validation when connecting. Setting to true is highly discouraged.
VAULT_CACERT ("") - Path on disk to the CA file to use for verifying TLS connections to Vault.
VAULT_CAPATH ("") - Path on disk to a directory containing the CAs to use for verifying TLS connections to Vault. VAULT_CACERT takes precedence.
VAULT_TLS_SERVER_NAME ("") - Custom SNI hostname to use when validating TLS connections to Vault.

Example Values

CHECK_INTERVAL="30s"
GCS_BUCKET_NAME="vault-storage"
KMS_KEY_ID="projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/key"

IAM & Permissions

The vault-init service uses the official Google Cloud Golang SDK. This means it supports the common ways of providing credentials to GCP.

To use this service, the service account must have the following minimum scope(s):

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/devstorage.read_write

Additionally, the service account must have the following minimum role(s):

roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/storage.objectAdmin OR roles/storage.legacyBucketWriter

For more information on service accounts, please see the Google Cloud Service Accounts documentation.

vault-init's People

Contributors

Stargazers

Watchers

vault-init's Issues

`/etc/ssl/certs/ca-certificates.crt: permission denied` will be fired.

I'm thinking of using vault-init container to use HachiCorpVault in GKE.
I installed vault with Helm and deployed vault-init as a sidecar container.

However, the encryption of the root token fails with the following error.

2020/04/17 06:18:28 Starting the vault-init service...
2020/04/17 06:18:28 Head http://127.0.0.1:8200/v1/sys/health: dial tcp 127.0.0.1:8200: connect: connection refused
2020/04/17 06:18:39 Vault is not initialized.
2020/04/17 06:18:39 Initializing...
2020/04/17 06:18:54 Encrypting unseal keys and the root token...
2020/04/17 06:18:54 Post https://cloudkms.googleapis.com/v1/projects/{xxx}/locations/{xxx}/keyRings/{xxx}/cryptoKeys/vault-init:encrypt?alt=json&prettyPrint=false: x509: failed to load system roots and no roots provided; open /etc/ssl/certs/ca-certificates.crt: permission denied
2020/04/17 06:18:54 Next check in 10s
....

I don't know why I'm getting a permission error in /etc/ssl/certs/ca-certificates.crt, is there a way to deal with it?

helm chart
- https://github.com/hashicorp/vault-helm/archive/v0.5.0.tar.gz
vault-init
- sethvargo/vault-init:1.1.0

Vault init with AWS KMS and Consul

Hi @sethvargo ,

Hope you are doing well!!!

I was trying to configure vault backed by consul where both should be hosted on k8s cluster and using AWS KMS to auto unseal. After searching a lot i landed up on your youtube video and github example(excellent articulation, you made my life easy to understand the whole), using which i was able to run vault in k8s cluster with auto unseal. But initial vault init needs to be done as i implemented vault statefulset without auto vault init. I was going through your GO code base of vault-init where Google storage is used as vault backend along with Google KMS for auto unseal, but since my vault cluster is backed by consul and AWS KMS, hence i was not able use your vault init AS-IS.

I need little help from your side on below:

how this vault init is happening at backend(simple briefing about the whole workflow)
does it feasible with consul and if yes please point me with some examples so that i can achieve the auto vault init as well.

thanks in advance,

regards

it stucks on "http: server gave HTTP response to HTTPS client"

I installed vault with Helmfile and deployed vault-init as a sidecar container.

However, it keeps logging on readinessprobe I guess.

2020/10/01 15:13:38 Starting the vault-init service...
2020/10/01 15:13:38 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:13:48 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:13:58 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:14:08 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:14:18 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:14:28 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:14:38 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:14:48 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:14:58 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:15:08 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client
2020/10/01 15:15:18 Head https://127.0.0.1:8200/v1/sys/health: http: server gave HTTP response to HTTPS client

helm chart
https://github.com/hashicorp/vault-helm/archive/v0.7.0.tar.gz
vault-init
- sethvargo/vault-init:0.1.2
- sethvargo/vault-init:0.1.1
- sethvargo/vault-init:1.1.0

I tried with different versions of vault-init, but no luck.

I can not run exec /bin/sh into vault-init container which is strange after checked it is golang based image.

OCI runtime exec failed: exec failed: container_linux.go:349: starting container process caused "exec: \"/bin/sh\": stat /bin/sh: no such file or directory": unknown command terminated with exit code 126

It fails with ACCESS_TOKEN_SCOPE_INSUFFICIENT"

k logs -n vault vault-0 vault-auto-init        
2022/06/21 20:47:25 Starting the vault-init service...
2022/06/21 20:47:25 Vault is not initialized.
2022/06/21 20:47:25 Initializing...
2022/06/21 20:47:31 Encrypting unseal keys and the root token...
2022/06/21 20:47:32 googleapi: Error 403: Request had insufficient authentication scopes.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "method": "google.cloud.kms.v1.KeyManagementService.Encrypt",
      "service": "cloudkms.googleapis.com"
    },
    "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
  }
]

More details:
Reason: insufficientPermissions, Message: Insufficient Permission

Rotating Key Support

Hi,

I would like to know, would the vault-init container support rotating keys as described here: https://cloud.google.com/kms/docs/rotating-keys or should any special care be taken when enabling key rotation?

TLS verification default changed to enabled by default, but no way to specify CA bundle

It looks like the original code had TLS verification disabled by default and hardcoded. I assume this was due to the expected use case of talking to Vault over a shared network namespace on 127.0.0.1.

Then this changed to configurable via VAULT_INSECURE_TLS_SKIP_VERIFY and the default remained with verification disabled: c3a324b

Next, the env var was renamed to VAULT_SKIP_VERIFY to match the vault cli/lib, and the default was changed to verification enabled: 6bbe8ba

The change of the default makes sense. But it would be nice to have a way to specify the CA bundle. I haven't tried this but I imagine one could volume mount their own CA bundle over one of the expected places used by go's stdlib such as /etc/ssl/cert.pem (https://golang.org/src/crypto/x509/root_linux.go).

Possibly more ideal would be supporting the VAULT_CACERT or VAULT_CAPATH env vars.

Beware: docker tags 0.1.1 and 0.1.2 were overwritten with default behavior changed

We noticed a failure in a weekly acceptance test we run that creates a new instance of Vault, runs some tests, then tears it down. This week's test failed to setup the Vault instance. We tracked the cause down to the 0.1.1 and 0.1.2 tags on Docker Hub having been overwritten with the latest changes. The observed issues that led us here were:

The default skip-TLS-verification was changed from enabled to disabled as described in #9. This led to vault-init being unable to communicate with vault.
Vault auto-unseal was added and set to default. This meant our Vault instance (which has not switched to native auto-unseal) was not unsealed by vault-init.

We were using vault-init:0.1.1. The docker tags for versions 0.1.1 and 0.1.2 on docker hub were overwritten with a new version that had the above two changes in behavior. https://hub.docker.com/r/sethvargo/vault-init/tags

Our fix to return the original behavior:

set VAULT_SKIP_VERIFY=true
set VAULT_AUTO_UNSEAL=false (we'll migrate to auto unseal soon)