Skip to content
Vault helper script
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Vault Helper

This is tool is designed to automate PKI tasks for Tarmak using Hashicorp's Vault as a backend.

vault-helper is designed to first run setup. This will ensure all CA backends are mounted to the Vault server before applying roles and policies. This process is idempotent.

renew-token ensures that if an init token is present in file, a new token will be generated from that init token. This new token will be stored, deleting the init token. If a token has already been generated, this token will be renewed agaisnt the Vault server.

cert ensures that a private key has been generated and written to file. After which cert will verify stored certificates against Vault. If unsucessful, will issue a Certificate Signing Request to the Vault server using this private key. The responding signed certificate is then stored at the given path.

kubeconfig will apply cert before encoding the certificates and private key into a stored yaml file at the given path.

setup, cert, read and kubeconfig will all apply a renew-token with the given token before continuing if successful.

dev-server is used only to set up a local development evnironment for testing.

vault-helper Usage

Available Commands:
  cert        Create local key to generate a CSR. Call vault with CSR for specified cert role.
  dev-server  Run a vault server in development mode with kubernetes PKI created.
  help        Help about any command
  kubeconfig  Create local key to generate a CSR. Call vault with CSR for specified cert role. Write kubeconfig to yaml file.
  read        Read arbitrary vault path. If no output file specified, output to console.
  renew-token Renew token on vault server.
  setup       Setup kubernetes on a running vault server.
  version     Print the version number of vault-helper.

  -h, --help            help for vault-helper
  -l, --log-level int   Set the log level of output. 0-Fatal 1-Info 2-Debug (default 1)

Use "vault-helper [command] --help" for more information about a command.

Vault Environment Variables

vault-helper requires the correct Vault environment variables to be set, for example:

$ export VAULT_ADDR=

Command Examples


$ vault-helper setup cluster-name


$ vault-helper renew-token --init_role=cluster-name-master


$ vault-helper cert cluster-name/pki/k8s/sign/kube-apiserver k8s /etc/vault/name
You can’t perform that action at this time.