Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-nas: setup hashicorp vault #2010

Open
tyriis opened this issue Oct 15, 2023 · 2 comments
Open

kube-nas: setup hashicorp vault #2010

tyriis opened this issue Oct 15, 2023 · 2 comments
Assignees
@jazzlyn
Labels
cluster/kube-nas

Comments

@tyriis
Copy link
Owner

tyriis commented Oct 15, 2023

No description provided.

@jazzlyn jazzlyn self-assigned this Oct 27, 2024
@jazzlyn
Copy link
Collaborator

jazzlyn commented Oct 27, 2024
edited
Loading

Todos

  • vault init
  • vault infra setup (terraform: structure, rbac)
  • vault backup and recovery (cloud bucket)
  • configure snapshot retention
  • data migration

jazzlyn added a commit that referenced this issue Oct 27, 2024
@jazzlyn
feat(vault): setup auto-unseal with gcpckms #2010
e1ef57d
jazzlyn added a commit that referenced this issue Oct 27, 2024
@jazzlyn
fix(vault): remove revokeOnShutdown #2010
4d351f7
jazzlyn added a commit that referenced this issue Oct 27, 2024
@jazzlyn
fix(vault): update sa key #2010
7a20ecb
@tyriis
Copy link
Owner Author

tyriis commented Oct 28, 2024
edited
Loading

backup should be done with tekton to backup the raft storage to a google bucket

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: vault-snapshot-task
spec:
  workspaces:
  - name: output
  steps:
  - name: take-snapshot
    image: vault:1.8.2
    script: |
      #!/usr/bin/env sh
      set -e
      export VAULT_ADDR=http://vault-active.vault.svc.cluster.local:8200
      export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=vault-backup)
      vault operator raft snapshot save /workspace/output/vault-raft.snap
    volumeMounts:
    - name: vault-token
      mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  volumes:
  - name: vault-token
    projected:
      sources:
      - serviceAccountToken:
          path: token
          expirationSeconds: 7200
          audience: vault

exampple code untested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jazzlyn jazzlyn

Labels
cluster/kube-nas
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tyriis @jazzlyn