Configure for Auto-Unseal
WARNING: There is currently no way to remove the auto-unseal configuration once it has been set on Charmed Vault. Removing the integration may put Charmed Vault in a bad state which requires manual intervention.
Prerequisites
- A Charmed Vault instance you wish to use as the unsealer. Deployed, initialized, unsealed, and authorized. See Tutorial: Getting started with Vault-K8s or Getting Started: Vault (Machine) if you’re not there yet.
- A second Charmed Vault instance you wish to use as the autounsealed Vault. This instance may already be initialized, unsealed, and authorized, or you may initialize it as part of this process.
1. Integrate the Vault instances
Integrate the autounsealed Vault instance with the unsealer Vault instance.
juju integrate vault-unsealer:vault-autounseal-provides vault-autounsealed:vault-autounseal-requires
2. Configure the Vault CLI to interact with the autounsealed Vault.
export VAULT_ADDR="..."
export VAULT_TOKEN="..."
Now, either follow 2a for an initialized autounsealed Vault instance, or 2b for an uninitialized autounsealed Vault instance.
2a. Migrate the autounsealed Vault instance to auto-unseal
In this step, the Vault instance being migrated needs to be unsealed with the existing manual unseal keys, and migrate its data to auto-unseal. To do this, unseal the Vault instance with the -migrate
flag.
vault operator unseal -migrate ${token}
2b. If not already initialized, initialize and authorize the autounsealed Vault instance
Configure your CLI to interact with the autounsealed Vault instance. See the getting started guide for more information on how to do this. In short, you will need to set the VAULT_ADDR
environment variable to the address of the autounsealed Vault instance, and retrieve and set the appropriate CA certificate.
vault operator init
Use the root token to create a temporary token, and authorize the Vault charm with it.
$ vault token create -ttl=10m
Key Value
--- -----
token hvs.mmMXCLNZ2X7OcqCM38WYDnoX
token_accessor eXzWoD1ajA5YtNgfopj1DP1r
token_duration 10m
token_renewable true
token_policies ["root"]
identity_policies []
policies ["root"]
Create a secret that contains the token above
$ juju add-secret approle_authorization_token token="hvs.mmMXCLNZ2X7OcqCM38WYDnoX"
secret:cqgj49fmp25c7796r0pg
Grant the secret to the autounsealed vault, and provide the ID of the secret to the authorize-charm
action.
juju grant-secret approle_authorization_token vault-autounsealed
juju run vault-autounsealed/leader authorize-charm secret-id=cqgj49fmp25c7796r0pg