Vault

gboutry · July 21, 2023, 3:06pm

This feature deploys Vault, a tool for securely managing secrets used in modern computing (e.g. passwords, certificates, API keys).

Enabling Vault

To enable Vault, run the following command:

sunbeam enable vault

Vault units will be in blocked state after this step.

Initialising Vault

To initialise Vault, run the following command:

sunbeam vault init KEY_SHARES KEY_THRESHOLD

KEY_SHARES - Number of key shares to be generated by vault

KEY_THRESHOLD - Minimal number of key shares to be used to unseal vault

Output of the above command with 5 key shares and 3 key threshold looks like:

Unseal keys:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
cccccccccccccccccccccccccccccccccccccccccccc
dddddddddddddddddddddddddddddddddddddddddddd
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Root token: fff.ffffffffffffffffffffffff

It is recommended to store each of the unseal keys and root token into different files
and keep them secure.

Unsealing Vault

To unseal Vault, run the following command:

cat <key file> | sunbeam vault unseal -

Unsealing the Vault requires minimum KEY_THRESHOLD keys to be provided to vault.
So the unseal command should be executed KEY_THRESHOLD times. This will unseal
the vault leader unit.

To unseal the non-leader units, repeat the unseal commands again.

For example, the process to unseal the Vault with 3 units, initialised with
5 key shares and 3 key threshold looks like:

Unseal leader unit

Unseal with the first key:

$ cat <aaa.. key file> | sunbeam vault unseal -
Vault unseal operation status: 2 key shares required to unseal

Unseal with the second key:

$ cat <bbb.. key file> | sunbeam vault unseal -
Vault unseal operation status: 1 key shares required to unseal

Unseal with the third key:

$ cat <ccc.. key file> | sunbeam vault unseal -
Vault unseal operation status: completed for leader unit.
Rerun `sunbeam vault unseal` command to unseal non-leader units.

The leader unit gets unsealed and non-leader units are in sealed state.

Unseal non-leader units

Now repeat the process to unseal non-leader units.
Unseal with the first key:

$ cat <aaa.. key file> | sunbeam vault unseal -
Vault unseal operation status:
vault/1 : 2 key shares required to unseal
vault/2 : 2 key shares required to unseal

Unseal with the second key:

$ cat <bbb.. key file> | sunbeam vault unseal -
Vault unseal operation status:
vault/1 : 1 key shares required to unseal
vault/2 : 1 key shares required to unseal

Unseal with the third key:

$ cat <ccc.. key file> | sunbeam vault unseal -
Vault unseal operation status: completed

Unsealing vault process completed.

Authorising Vault charm

To authorise vault charm, run the following command:

$ cat <root token file> | sunbeam vault authorize-charm -
Vault charm is authorized.

After 5 minutes (update-status-interval time), Juju status should show all units as active.

$ juju status -m openstack vault
Model      Controller          Cloud/Region               Version  SLA          Timestamp
openstack  sunbeam-controller  immune-drum-k8s/localhost  3.5.4    unsupported  07:12:02Z

SAAS       Status  Store  URL
microceph  active  local  admin/controller.microceph

App    Version  Status   Scale  Charm      Channel      Rev  Address         Exposed  Message
vault           active       3  vault-k8s  1.16/stable  280  10.152.183.222  no

Unit      Workload  Agent  Address       Ports  Message
vault/0*  active    idle   10.1.183.201
vault/1   active    idle   10.1.183.234
vault/2   active    idle   10.1.183.235

Offer                  Application            Charm                     Rev  Connected  Endpoint              Interface             Role
cert-distributor       keystone               keystone-k8s              211  2/2        send-ca-cert          certificate_transfer  provider
certificate-authority  certificate-authority  self-signed-certificates  155  1/1        certificates          tls-certificates      provider
cinder-ceph            cinder-ceph            cinder-ceph-k8s           94   1/1        ceph-access           cinder-ceph-key       provider
keystone-credentials   keystone               keystone-k8s              211  1/1        identity-credentials  keystone-credentials  provider
keystone-endpoints     keystone               keystone-k8s              211  1/1        identity-service      keystone              provider
nova                   nova                   nova-k8s                  106  1/1        nova-service          nova                  provider
ovn-relay              ovn-relay              ovn-relay-k8s             95   1/1        ovsdb-cms-relay       ovsdb-cms             provider
rabbitmq               rabbitmq               rabbitmq-k8s              34   1/1        amqp                  rabbitmq              provider
traefik-rgw            traefik-rgw            traefik-k8s               218  1/1        traefik-route         traefik_route         provider

Vault status

To see status of Vault, run the following command:

sunbeam vault status

Sample output of the above command looks like:

Unit	Initialized	Sealed
vault/0	True	False
vault/1	True	false
vault/2	True	False

Disabling Vault

To disable Vault, run the following command:

sunbeam disable vault

Caution: Disabling Vault will completely remove it from the infrastructure, all secrets will be lost.