Vault

  • Canonical Telco
Channel Revision Published Runs on
latest/edge 89 31 Jan 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 9 27 Jan 2023
Ubuntu 22.04 Ubuntu 20.04
1.16/stable 280 04 Oct 2024
Ubuntu 22.04
1.16/candidate 280 04 Oct 2024
Ubuntu 22.04
1.16/beta 280 04 Oct 2024
Ubuntu 22.04
1.16/edge 291 19 Nov 2024
Ubuntu 22.04
1.15/stable 248 24 Jul 2024
Ubuntu 22.04
1.15/candidate 248 24 Jul 2024
Ubuntu 22.04
1.15/beta 248 24 Jul 2024
Ubuntu 22.04
1.15/edge 248 10 Jul 2024
Ubuntu 22.04
juju deploy vault-k8s --channel 1.16/candidate
Show information

Platform:

Configure for Auto-Unseal

WARNING: There is currently no way to remove the auto-unseal configuration once it has been set on Charmed Vault. Removing the integration may put Charmed Vault in a bad state which requires manual intervention.

Prerequisites

  1. A Charmed Vault instance you wish to use as the unsealer. Deployed, initialized, unsealed, and authorized. See Tutorial: Getting started with Vault-K8s or Getting Started: Vault (Machine) if you’re not there yet.
  2. A second Charmed Vault instance you wish to use as the autounsealed Vault. This instance may already be initialized, unsealed, and authorized, or you may initialize it as part of this process.

1. Integrate the Vault instances

Integrate the autounsealed Vault instance with the unsealer Vault instance.

juju integrate vault-unsealer:vault-autounseal-provides vault-autounsealed:vault-autounseal-requires

2. Configure the Vault CLI to interact with the autounsealed Vault.

export VAULT_ADDR="..."
export VAULT_TOKEN="..."

Now, either follow 2a for an initialized autounsealed Vault instance, or 2b for an uninitialized autounsealed Vault instance.

2a. Migrate the autounsealed Vault instance to auto-unseal

In this step, the Vault instance being migrated needs to be unsealed with the existing manual unseal keys, and migrate its data to auto-unseal. To do this, unseal the Vault instance with the -migrate flag.

vault operator unseal -migrate ${token}

2b. If not already initialized, initialize and authorize the autounsealed Vault instance

Configure your CLI to interact with the autounsealed Vault instance. See the getting started guide for more information on how to do this. In short, you will need to set the VAULT_ADDR environment variable to the address of the autounsealed Vault instance, and retrieve and set the appropriate CA certificate.

vault operator init

Use the root token to create a temporary token, and authorize the Vault charm with it.

$ vault token create -ttl=10m
Key                  Value
---                  -----
token                hvs.mmMXCLNZ2X7OcqCM38WYDnoX
token_accessor       eXzWoD1ajA5YtNgfopj1DP1r
token_duration       10m
token_renewable      true
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Create a secret that contains the token above

$ juju add-secret approle_authorization_token token="hvs.mmMXCLNZ2X7OcqCM38WYDnoX"
secret:cqgj49fmp25c7796r0pg

Grant the secret to the autounsealed vault, and provide the ID of the secret to the authorize-charm action.

juju grant-secret approle_authorization_token vault-autounsealed
juju run vault-autounsealed/leader authorize-charm secret-id=cqgj49fmp25c7796r0pg

Help improve this document in the forum (guidelines). Last updated 2 months ago.