How-to: Configure a Vault for auto-unseal

Configure for Auto-Unseal

WARNING: There is currently no way to remove the auto-unseal configuration once it has been set on Charmed Vault. Removing the integration may put Charmed Vault in a bad state which requires manual intervention.

Prerequisites

  1. A Charmed Vault instance you wish to use as the unsealer. Deployed, initialized, unsealed, and authorized. See Tutorial: Getting started with Vault-K8s or Getting Started: Vault (Machine) if you’re not there yet.
  2. A second Charmed Vault instance you wish to use as the autounsealed Vault. This instance may already be initialized, unsealed, and authorized, or you may initialize it as part of this process.

1. Integrate the Vault instances

Integrate the autounsealed Vault instance with the unsealer Vault instance.

juju integrate vault-unsealer:vault-autounseal-provides vault-autounsealed:vault-autounseal-requires

2. Configure the Vault CLI to interact with the autounsealed Vault.

export VAULT_ADDR="..."
export VAULT_TOKEN="..."

Now, either follow 2a for an initialized autounsealed Vault instance, or 2b for an uninitialized autounsealed Vault instance.

2a. Migrate the autounsealed Vault instance to auto-unseal

In this step, the Vault instance being migrated needs to be unsealed with the existing manual unseal keys, and migrate its data to auto-unseal. To do this, unseal the Vault instance with the -migrate flag.

vault operator unseal -migrate ${token}

2b. If not already initialized, initialize and authorize the autounsealed Vault instance

Configure your CLI to interact with the autounsealed Vault instance. See the getting started guide for more information on how to do this. In short, you will need to set the VAULT_ADDR environment variable to the address of the autounsealed Vault instance, and retrieve and set the appropriate CA certificate.

vault operator init

Use the root token to create a temporary token, and authorize the Vault charm with it.

$ vault token create -ttl=10m
Key                  Value
---                  -----
token                hvs.mmMXCLNZ2X7OcqCM38WYDnoX
token_accessor       eXzWoD1ajA5YtNgfopj1DP1r
token_duration       10m
token_renewable      true
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Create a secret that contains the token above

$ juju add-secret approle_authorization_token token="hvs.mmMXCLNZ2X7OcqCM38WYDnoX"
secret:cqgj49fmp25c7796r0pg

Grant the secret to the autounsealed vault, and provide the ID of the secret to the authorize-charm action.

juju grant-secret approle_authorization_token vault-autounsealed
juju run vault-autounsealed/leader authorize-charm secret-id=cqgj49fmp25c7796r0pg