This feature deploys Vault, a tool for securely managing secrets used in modern computing (e.g. passwords, certificates, API keys).
Enabling Vault
To enable Vault, run the following command:
sunbeam enable vault
Vault units will be in blocked state after this step.
Initialising Vault
To initialise Vault, run the following command:
sunbeam vault init KEY_SHARES KEY_THRESHOLD
KEY_SHARES - Number of key shares to be generated by vault
KEY_THRESHOLD - Minimal number of key shares to be used to unseal vault
Output of the above command with 5 key shares and 3 key threshold looks like:
Unseal keys:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
cccccccccccccccccccccccccccccccccccccccccccc
dddddddddddddddddddddddddddddddddddddddddddd
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Root token: fff.ffffffffffffffffffffffff
It is recommended to store each of the unseal keys and root token into different files
and keep them secure.
Unsealing Vault
To unseal Vault, run the following command:
cat <key file> | sunbeam vault unseal -
Unsealing the Vault requires minimum KEY_THRESHOLD keys to be provided to vault.
So the unseal command should be executed KEY_THRESHOLD times. This will unseal
the vault leader unit.
To unseal the non-leader units, repeat the unseal commands again.
For example, the process to unseal the Vault with 3 units, initialised with
5 key shares and 3 key threshold looks like:
Unseal leader unit
Unseal with the first key:
$ cat <aaa.. key file> | sunbeam vault unseal -
Vault unseal operation status: 2 key shares required to unseal
Unseal with the second key:
$ cat <bbb.. key file> | sunbeam vault unseal -
Vault unseal operation status: 1 key shares required to unseal
Unseal with the third key:
$ cat <ccc.. key file> | sunbeam vault unseal -
Vault unseal operation status: completed for leader unit.
Rerun `sunbeam vault unseal` command to unseal non-leader units.
The leader unit gets unsealed and non-leader units are in sealed state.
Unseal non-leader units
Now repeat the process to unseal non-leader units.
Unseal with the first key:
$ cat <aaa.. key file> | sunbeam vault unseal -
Vault unseal operation status:
vault/1 : 2 key shares required to unseal
vault/2 : 2 key shares required to unseal
Unseal with the second key:
$ cat <bbb.. key file> | sunbeam vault unseal -
Vault unseal operation status:
vault/1 : 1 key shares required to unseal
vault/2 : 1 key shares required to unseal
Unseal with the third key:
$ cat <ccc.. key file> | sunbeam vault unseal -
Vault unseal operation status: completed
Unsealing vault process completed.
Authorising Vault charm
To authorise vault charm, run the following command:
$ cat <root token file> | sunbeam vault authorize-charm -
Vault charm is authorized.
After 5 minutes (update-status-interval time), Juju status should show all units as active.
$ juju status -m openstack vault
Model Controller Cloud/Region Version SLA Timestamp
openstack sunbeam-controller immune-drum-k8s/localhost 3.5.4 unsupported 07:12:02Z
SAAS Status Store URL
microceph active local admin/controller.microceph
App Version Status Scale Charm Channel Rev Address Exposed Message
vault active 3 vault-k8s 1.16/stable 280 10.152.183.222 no
Unit Workload Agent Address Ports Message
vault/0* active idle 10.1.183.201
vault/1 active idle 10.1.183.234
vault/2 active idle 10.1.183.235
Offer Application Charm Rev Connected Endpoint Interface Role
cert-distributor keystone keystone-k8s 211 2/2 send-ca-cert certificate_transfer provider
certificate-authority certificate-authority self-signed-certificates 155 1/1 certificates tls-certificates provider
cinder-ceph cinder-ceph cinder-ceph-k8s 94 1/1 ceph-access cinder-ceph-key provider
keystone-credentials keystone keystone-k8s 211 1/1 identity-credentials keystone-credentials provider
keystone-endpoints keystone keystone-k8s 211 1/1 identity-service keystone provider
nova nova nova-k8s 106 1/1 nova-service nova provider
ovn-relay ovn-relay ovn-relay-k8s 95 1/1 ovsdb-cms-relay ovsdb-cms provider
rabbitmq rabbitmq rabbitmq-k8s 34 1/1 amqp rabbitmq provider
traefik-rgw traefik-rgw traefik-k8s 218 1/1 traefik-route traefik_route provider
Vault status
To see status of Vault, run the following command:
sunbeam vault status
Sample output of the above command looks like:
Unit | Initialized | Sealed |
---|---|---|
vault/0 | True | False |
vault/1 | True | false |
vault/2 | True | False |
Disabling Vault
To disable Vault, run the following command:
sunbeam disable vault
Caution: Disabling Vault will completely remove it from the infrastructure, all secrets will be lost.