search

bank-vaults / vault-operator

Kubernetes operator for Hashicorp Vault
https://bank-vaults.dev/docs/operator/
Apache License 2.0
63 stars 23 forks source link

More options to configure unsealConfig for transit-unseal #221

Closed Ais8Ooz8 closed 2 months ago

Ais8Ooz8 commented 1 year ago

Preflight Checklist

Problem Description

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

While there is an explicit way for the kv-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-vault-kv-unseal.yaml

  # Describe where you would like to store the Vault unseal keys and root token
  # in seperate remote Vault instance.
  unsealConfig:
    vault:
      address: https://vault:8200 # Remote Address for Vault
      unsealKeysPath: secret/data/vault-keys
      role: default
      authPath: kubernetes

We see not very transparent recommendations on how to stop using Kubernetes Secrets — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-transit-unseal.yaml

  # Even if unsealing will be done via the Transit Auto-Unseal flow the root token
  # and recovery keys will be stored in Kubernetes Secrets if not defined otherwise,
  # not highly secure, but this is just an example, in production please use one of
  # the KMS based options.
  # unsealConfig:
  # ...

Proposed Solution

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

Alternatives Considered

No response

Additional Information

No response

DrummyFloyd commented 11 months ago

will it be in the roadmap ? or you're still looking at some information with Hashicorp new's licence ?

akijakya commented 11 months ago

Hi @Ais8Ooz8, thanks for considering Bank-Vaults, also sorry for the late reply!

You can specify a different place to store the root token and recovery keys for any Vault custom resource, in the vault-kv-unseal example it is another Vault instance, the default is a Kubernetes secret, but you can (should) use another Vault, Azure, AWS, etc: https://github.com/bank-vaults/vault-operator/blob/b27d76f0f0ae2020c9a14eca0ae85ee13510a495/deploy/crd/bases/vault.banzaicloud.com_vaults.yaml#L1068

csatib02 commented 2 months ago

Answered by: https://github.com/bank-vaults/vault-operator/issues/221#issuecomment-1833548299