search

lrstanley / vault-unseal

auto-unseal utility for Hashicorp Vault
MIT License
226 stars 29 forks source link

readme contains out of date information #15

Closed Starttoaster closed 2 years ago

Starttoaster commented 2 years ago

🌧 Describe the problem

If you have not, auto-unseal functionality for on-prem is currently only in enterprise

This is not correct anymore. You actually can do auto-unseal in on-prem Vault OSS. But it does require some configuration, and some resources in a cloud provider like GCP/AWS.

I have set up the open source Vault on-prem in kubernetes with auto-unseal configured to use a key and keyring managed in GCP.

To be clear, I still believe this tool has a purpose. I'm actually considering using it over GCP KMS just so I won't also have to maintain some terraform.

⛅ Expected behavior

This text should be updated. The "why" for this kind of a project would now be something more like, "If you want to maintain a Vault cluster on-prem with auto-unseal functionality without relying on any public cloud KMS assets."

🔄 Minimal reproduction

N/A

💠 Version: vault-unseal

master branch

🖥 Version: Operating system

other

⚙ Additional context

N/A

🤝 Requirements

lrstanley commented 2 years ago

Hmm, guess I'm not exactly sure what you mean -- using GCP/AWS/Azure resources for KMS wouldn't actually be on-prem. I.e. there are no on-prem only solutions that I'm aware of, unless you use enterprise, and hardware KMS. If that is correct, then I don't believe that statement is incorrect?

lrstanley commented 2 years ago

Unrelated, but I am also planning on making a helm chart for this at some point, we're in the process of migrating various resources into AWS (previously we couldn't due to compliance).

Starttoaster commented 2 years ago

I guess it really depends what components you're referring to when you say "on prem."

If you mean the Vault cluster, that is what I'm running on prem. Of course the key management solution exists in public cloud, but that is a function external to Vault. So if your readme is actually saying, "there is no other way to run on-prem Vault with auto unseal where the Vault instances and the key manager are both on prem" then I guess it's technically correct and I misunderstood. In that case, it is in my opinion a bit misleading because I inferred you were actually saying there is no way to have an on-prem OSS Vault server with auto-unseal functionality at all without this tool.

Starttoaster commented 2 years ago

Unrelated, but I am also planning on making a helm chart for this at some point, we're in the process of migrating various resources into AWS (previously we couldn't due to compliance).

That would be cool. I actually already wrote one but I kind of sloppily put together helm charts since I usually expect I will be the only person to see them in my private gitlab group :)

Starttoaster commented 2 years ago

Since it appears you meant something more like "there is no on-prem solution for auto-unseal for on-prem OSS Vault." I'll close this Issue. I don't think it's really important that the readme is more clear on this subject, but the word choice is confusing.

Thanks for the tool! Read through most of the code, pretty neat. Would be cool if there were more notifiers (Slack, Discord, Keybase, etc) but that is wayyyyy out of scope for this Issue.

lrstanley commented 2 years ago

I think since the project is geared towards a "Vault KMS replacement", personally feel like the readme is still quite clear, but I may go through and clean it up a bit more.

As far as notifications and improvements there, subscribe to this issue -- do plan to support quite a few more, primarily just waiting for the revamp when I work on the helm chart.

Starttoaster commented 2 years ago

It's extremely clear, depending on whether or not you view the auto-unseal functionality as part of Vault. If you view it as a function decoupled from Vault, it's hard to call it clear tbh.

auto-unseal functionality for on-prem is currently only in enterprise (for cloud, it is now in the OSS version)

This could be read as one of the following:

How I took it -- auto-unseal functionality for on-prem Vault is currently only in enterprise (for cloud, it is now in the OSS version)

or...

How you meant it -- on-prem auto-unseal functionality for on-prem Vault is currently only in enterprise (for cloud, it is now in the OSS version)

Anyway, if you don't see it, no biggy. Just confused me :)

zamazan4ik commented 1 year ago

Excuse me for the necroposting but I found the README also confusing. Now there is an option for the on-prem Vault to implement auto-unseal via Transit Secret Engine with another Vault cluster: https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-transit

lrstanley commented 1 year ago

Please see the updated readme, and let me know if that's better.