Add capability to state Environment variable, Exp for skip TLS

[ranggasama]

Add capability to state Environment variable
For exampple for skipping TLS, when using custom self-signed certificate that created manually, or via external tools like cert-manager

[camaeel]

Hi!
Thanks for providing this MR, but I'm a bit confused what would be the outcome. This vault-autounseal tool doesn't support passing configuration by environment variables. All the configuration has to be (at least for now) passed as flags to command. They are controlled using .Values.settings map. This was just fixed in version 1.0.4 of this helm chart: (https://github.com/camaeel/vault-k8s-helper/releases/tag/vault-autounseal-1.0.4)

Currently skipping check of certificates is not supported by the tool, as I use it with the other tool from this repostitory - vault-cert-generator to generate certificates signed by kubernetes CA. They are internally trusted in the cluster and don't need to be "skipped". For exposing vault instance to the outside (of the cluster) I use ingress which has a certificate managed by cert-manager and is signed by some globally trusted authority (for example Let's Encrypt).

It should be possible to implement a flag to skip certificate validity verification in the vault-autounseal application but this could lower overall security of the solution. If this is what you really need then please either provide a PR implementing support for it in golang app or create an issue with Feature Request for such option.

[ranggasama]

Hi thanks for the response,
Really appreciated your work here. For our case, where we have internal self signed CA that was used for signing certificates for apps in our cluster (that includes Vault) but unfortunately, the vault-autounseal not been able to call vault api (unknown authority). But then, when I set the environment variable of VAULT_SKIP_VERIFY="true", your apps can read the variable and skip the TLS verifying.

Unfortunately, I'm not very familiar with golang, and setting up env variable do the same trick, we will just use that for time being. I know its not best practice, and quick solutions for our case is to implement that.

Anyway thanks for the new versions, will try it ASAP. Since, setting up param of unlock-shares & unlock-threshold in v1.0.3, doesn't seem to work. Sorry for my English 🙏🏻

[camaeel]

If it works then this is hidden undocumented (yet) feature of the app. Probably this env variable is supported by vault client library. I'll check that.
Then it makes sense to apply this merge request. I'll try to review it this week.

[camaeel]

This is supported by the vault client library: https://github.com/hashicorp/vault/blob/api/v1.8.2/api/client.go#L399