Skip to content

Telefonica/vault-helper

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

424 Commits
cmd
cmd
 
 
hack
hack
 
 
pkg
pkg
 
 
vendor
vendor
 
 
.Dockerignore
.Dockerignore
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
.goreleaser.yml
.goreleaser.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
OWNERS
OWNERS
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
labels.yaml
labels.yaml
 
 
main.go
main.go
 
 

Repository files navigation

Vault Helper

This is tool is designed to automate PKI tasks for Tarmak using Hashicorp's Vault as a backend.

vault-helper is designed to first run setup. This will ensure all CA backends are mounted to the Vault server before applying roles and policies. This process is idempotent.

renew-token ensures that if an init token is present in file, a new token will be generated from that init token. This new token will be stored, deleting the init token. If a token has already been generated, this token will be renewed agaisnt the Vault server.

cert ensures that a private key has been generated and written to file. After which cert will verify stored certificates against Vault. If unsucessful, will issue a Certificate Signing Request to the Vault server using this private key. The responding signed certificate is then stored at the given path.

kubeconfig will apply cert before encoding the certificates and private key into a stored yaml file at the given path.

setup, cert, read and kubeconfig will all apply a renew-token with the given token before continuing if successful.

dev-server is used only to set up a local development evnironment for testing.

vault-helper Usage

Available Commands:
  cert        Create local key to generate a CSR. Call vault with CSR for specified cert role.
  dev-server  Run a vault server in development mode with kubernetes PKI created.
  help        Help about any command
  kubeconfig  Create local key to generate a CSR. Call vault with CSR for specified cert role. Write kubeconfig to yaml file.
  read        Read arbitrary vault path. If no output file specified, output to console.
  renew-token Renew token on vault server.
  setup       Setup kubernetes on a running vault server.
  version     Print the version number of vault-helper.

Flags:
  -h, --help            help for vault-helper
  -l, --log-level int   Set the log level of output. 0-Fatal 1-Info 2-Debug (default 1)

Use "vault-helper [command] --help" for more information about a command.

Vault Environment Variables

vault-helper requires the correct Vault environment variables to be set, for example:

$ export VAULT_ADDR=http://127.0.0.1:8200

Command Examples

setup

$ vault-helper setup cluster-name

renew-token

$ vault-helper renew-token --init_role=cluster-name-master

cert

$ vault-helper cert cluster-name/pki/k8s/sign/kube-apiserver k8s /etc/vault/name

About

Vault helper script

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 93.0%
  • Python 4.5%
  • Makefile 1.6%
  • Other 0.9%