hookpick is a tool to manage some operational concepts of Hashicorp Vault, specifically related to the painful process of unsealing, initialising and rekeying Vault.
You provide a configuration file with a map of "datacenters". Each datacenter has a key and an array of hosts. hookpick will perform actions against each of those hosts as you need.
The name comes from a a Hook Pick, a tool used to pick locks. This tool is meant to to "unlock" the administration of Vault. Originally the tool was called locksmith, but it conflicted with locksmith.
It is currently considered Alpha, and may change drastically over time.
Originally, I wrote unseal which was specifically for unsealing a large number of Vault servers. However, it became apparent that operating on large numbers of Vaults is painful, especially when it comes to rekeying.
This tool is aimed at bridging the gap when it comes to administration and operation of large numbers of Vault servers.
Some of the advantages you might gain over using the Vault HTTP API or the standard Vault binary
Currently Unseal has the capability to:
You'll need a configuration file. Unseal uses viper which means it supports JSON, yaml and hcl syntax.
The app will look for the config file in the following directories, in order:
$HOME/.hookpick.yaml.hookpick.yaml (in the directory you're running the binary from)An example configuration file in yaml looks like this:
gpg: true
datacenters:
- hosts:
- name: consulserver-1.example.dc1.com
port: 8200
- name: consulserver-2.example.dc1.com
port: 8200
keys:
- key: <key1>
- key: <key2>
name: dc1
- hosts:
- name: consulserver-1.example.dc2.com
port: 8200
- name: consulserver-2.example.dc2.com
port: 8200
keys:
- key: <key1>
- key: <key2>
name: dc2This can be converted to JSON or HCL as needed. Configuration options available are:
gpg - Boolean - Set to true if you init'd Vault with GPG support enabledcapath - String - The path to a directory containing CA certificates for all Vaultsprotocol - String - The HTTP protocol to use when connecting to vaults (default: https)datacenters - Array of maps - an array of datacenters with nested options
name - String - The name of the datacenterskeys - Array - contains keys:
key - String - The unseal key for that datacenter. Should be base64 encoded if the gpg flag is set to truehosts - Array - contains two config options:
name - String - Hostname of a Vault serverport - Int - The port that Vault server listens onBy default, hookpick will read some environment variables for your configuration. You can find them here
You can use some of these environment variables if you wish when using hookpick.
VAULT_CACERT: Set this to the path of a CA Cert you wish to use to verify the Vault connection. Note, this will use the same CA cert for all VaultsVAULT_CAPATH: An alternative to the above CA Path config option.VAULT_CLIENT_CERT: An SSL client cert to use when connecting to your Vaults. Note, this will use the same cert for all VaultsVAULT_CLIENT_KEY: An SSL client key to use when connecting to your Vaults. Note, this will use the same key for all VaultsVAULT_SKIP_VERIFY: Skip SSL verification. This is not recommended in production use.If you want to contribute, we use Go Modules for dependency management, so it should be as simple as:
$GOPATH/src/github.com/jaxxstorm/hookpickgo get -u from the directorygo mod tidy from the directorygo build -o hookpick main.goIf you want to build the Docker image:
$GOPATH/src/github.com/jaxxstorm/hookpickdocker build -t hookpick . from the directoryYou should have a tiny image hookpick which is less than 5 Mb.
For using it :
.hookpick.yamldocker run -v $(pwd)/.hookpick.yaml:/.hookpick.yaml:ro hookpick statusNota: you can change status by one of the program command. (unseal if omited)