- Launch an Hashicorp vault server in raft mode.
- The default ssl key from /ssl is used if it exists.
- TLS can be disabled by setting "disable_tls" to true :
disable_tls: true
Use the following repository (add it in the add-on store of the supervisor) : https://github.com/tidalf/ha-addons
- You can use the vault_local_config variable (see https://hub.docker.com/_/vault)
- The raft data is stored in /data/vault/raft, it'll be removed if you remove the addon.
- You can change that by using the raft_path setting (it'll probably break the other scripts)
raft_path: /config/vault/raft
- You can enable unsafe auto unseal (it'll store the unseal keys and root token in clear in /data/vault/vault.ini)
unsafe_auto_init: true
- You can enable initial config of the vault: It'll run a terraform config (it can be in changed in /config/vault/terraform)
auto_provision: true
- If you don't use unsafe auto unseal (it stores a token), you can specify a provisioning token (make it short lived)
provision_token_password: a_token
- You can create a default user with an admin policy attached like that:
create_admin_user: true
vault_admin_user: admin
vault_admin_password: some_password
- You can enable auto initialization with gpg/keybase keys:
pgp_keys: 'keybase:exampleuser'
- the encrypted variables are shown in the log (fixme?)
- if you use keybase and no kms autounseal you'll need to unseal manually
export VAULT_ADDR="http(s)://yourinstance:8200"
vault operator unseal [-migrate] $(echo $unsealkey | base64 -d | keybase pgp decrypt)
It's possible to use the AWS KMS service to auto unseal the vault. You'll need to create the kms key and the iam user credentials with correct policy (kms:Encrypt,kms:Decrypt and kms:DescribeKey).
Then you can set the following values:
aws_unseal: true
aws_region: eu-west-1
aws_access_key: *****
aws_secret_key: ******
aws_kms_key_id: ******
If you disable aws kms, you need to set the downgrade variable (at least for the transition) (fixme)
aws_unseal: false
aws_unseal_downgrade: true
Cluster listener addr is set to localhost by default.
Set it to a valid address through 'vault_cluster_addr' then enable the port forward for tcp/8201 (provide a value for the port) (it's untested, no automated setup for multi nodes for now)
It's a bit tricky and those commands need to be exec outside of the addon container:
- Retrieve the needed values from the logs (keys_b64, encoded_root_token and adm.asc)
- Config your local vault client to reach your vault server addon (export VAULT_ADDR=..)
- Unseal the vault using your keybase
- Create a provisioning token
- Set it in the config, restart
- Start the rekeing using a backup
- The script will retrieve the backup using the provisioning token above.
#!/usr/bin/env bash
# $1 is the encrypted unseal key (keys_b64 from the logs)
# $2 is the encrypted root key (encoded_root_token from the logs)
# $3 is the gpg key of the local unsafe storage (adm.asc from the logs)
decrypt () {
echo $1 | base64 -d | keybase pgp decrypt
}
vault operator unseal $(decrypt $1)
vault login $(decrypt $2)
vault token create -ttl=2h
echo "copy this token in the setting \"provision_token_password:\""
echo "and set unsafe_downgrade: true"
echo "then restart the addon, press enter when done"
read a
echo "$3" | base64 -d >> pb2
vault operator unseal $(decrypt $1)
echo "Sleep for elections"
sleep 15
nonce=$(vault operator rekey -format json -pgp-keys=pb2 -key-shares=1 -key-threshold=1 -init -backup | jq -r .nonce)
vault operator rekey -nonce $nonce $(decrypt $1)