vault-helper is designed to first run
setup. This will ensure all CA
backends are mounted to the Vault server before applying roles and policies.
This process is idempotent.
renew-token ensures that if an init token is present in file, a new token will
be generated from that init token. This new token will be stored, deleting the
init token. If a token has already been generated, this token will be renewed
agaisnt the Vault server.
cert ensures that a private key has been generated and written to file. After
cert will verify stored certificates against Vault. If unsucessful, will
issue a Certificate Signing Request to the Vault server using this private key.
The responding signed certificate is then stored at the given path.
kubeconfig will apply
cert before encoding the certificates and private key
into a stored yaml file at the given path.
kubeconfig will all apply a
renew-token with the
given token before continuing if successful.
dev-server is used only to set up a local development evnironment for testing.
Available Commands: cert Create local key to generate a CSR. Call vault with CSR for specified cert role. dev-server Run a vault server in development mode with kubernetes PKI created. help Help about any command kubeconfig Create local key to generate a CSR. Call vault with CSR for specified cert role. Write kubeconfig to yaml file. read Read arbitrary vault path. If no output file specified, output to console. renew-token Renew token on vault server. setup Setup kubernetes on a running vault server. version Print the version number of vault-helper. Flags: -h, --help help for vault-helper -l, --log-level int Set the log level of output. 0-Fatal 1-Info 2-Debug (default 1) Use "vault-helper [command] --help" for more information about a command.
Vault Environment Variables
vault-helper requires the correct Vault environment variables to be set, for example:
$ export VAULT_ADDR=http://127.0.0.1:8200
$ vault-helper setup cluster-name
$ vault-helper renew-token --init_role=cluster-name-master
$ vault-helper cert cluster-name/pki/k8s/sign/kube-apiserver k8s /etc/vault/name