From 2de840329f5d5d1b617073e98ebf1265a3b88e01 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Thu, 3 Mar 2022 14:03:12 +0100 Subject: [PATCH] integrate simple vault transit auto-unseal support --- README.md | 40 +++++++++++++++++++++++ defaults/main.yml | 9 +++++ templates/vault_main_configuration.hcl.j2 | 12 ++++--- templates/vault_seal_transit.j2 | 9 +++++ 4 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 templates/vault_seal_transit.j2 diff --git a/README.md b/README.md index f93c6a6d..7e63338d 100644 --- a/README.md +++ b/README.md @@ -1365,6 +1365,46 @@ This feature enabled operators to delegate the unsealing process to AZURE Key Va - The key hosted in the Vault in Azure Key Vault - Default value: vault_key +## Vault Transit Auto-unseal + +This feature enables operators to delegate the unsealing process to another Vault cluster to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters. + +### `vault_transit` + +- Set to True to enable Vault Transit Auto-Unseal. +- Default value: false + +### `vault_backend_transit` + +- Backend seal template filename +- Default value: `vault_seal_transit.j2` + +### `vault_transit_address` + +- URL to Vault cluster hosting the key +- Default value: VAULT_ADDR + +### `vault_transit_token` + +- Token to access the key +- Default value: VAULT_TOKEN + +### `vault_transit_disable_renewal` + +- Disables the automatic renewal of the token +- Default value: VAULT_TRANSIT_SEAL_DISABLE_RENEWAL or false + +### `vault_transit_key_name` + +- The transit key to use for encryption and decryption +- Default value: VAULT_TRANSIT_SEAL_KEY_NAME or `autounseal` + +### `vault_transit_mount_path` + +- The mount path to the transit secret engine. +- Default value: VAULT_TRANSIT_SEAL_MOUNT_PATH or `transit/` + + ## License BSD-2-Clause diff --git a/defaults/main.yml b/defaults/main.yml index d7a1880f..a3c7333c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -312,6 +312,15 @@ vault_gkms_region: 'global' vault_gkms_key_ring: 'vault' vault_gkms_crypto_key: 'vault_key' +# transit seal +vault_transit: false +vault_backend_transit: vault_seal_transit.j2 +vault_transit_address: "{{ lookup('env','VAULT_ADDR') | default('', true) }}" +vault_transit_token: "{{ lookup('env','VAULT_TOKEN') | default('', true) }}" +vault_transit_disable_renewal: "{{ lookup('env','VAULT_TRANSIT_SEAL_DISABLE_RENEWAL') | default('false', true) }}" +vault_transit_key_name: "{{ lookup('env','VAULT_TRANSIT_SEAL_KEY_NAME') | default('autounseal', true) }}" +vault_transit_mount_path: "{{ lookup('env','VAULT_TRANSIT_SEAL_MOUNT_PATH') | default('transit/', true) }}" + # pkcs11 seal vault_enterprise_premium_hsm: false # WARNING: the following variable is deprecated as this section will become diff --git a/templates/vault_main_configuration.hcl.j2 b/templates/vault_main_configuration.hcl.j2 index a8b3a1dc..1f651775 100644 --- a/templates/vault_main_configuration.hcl.j2 +++ b/templates/vault_main_configuration.hcl.j2 @@ -100,15 +100,19 @@ ui = {{ vault_ui | bool | lower }} {% if vault_entropy_seal | bool -%} {% include 'vault_entropy_seal.j2' with context %} -{% endif %} +{% endif -%} {% if vault_enterprise_premium_hsm | bool -%} {% include vault_backend_seal with context %} -{% endif %} +{% endif -%} {% if vault_gkms | bool -%} {% include vault_backend_gkms with context %} -{% endif %} +{% endif -%} + +{% if vault_transit | bool -%} + {% include vault_backend_transit with context %} +{% endif -%} {% if vault_telemetry_enabled | bool -%} telemetry { @@ -129,4 +133,4 @@ telemetry { {% if vault_configure_enterprise_license | bool -%} license_path = "{{ vault_license_path }}" -{% endif -%} \ No newline at end of file +{% endif -%} diff --git a/templates/vault_seal_transit.j2 b/templates/vault_seal_transit.j2 new file mode 100644 index 00000000..6a416948 --- /dev/null +++ b/templates/vault_seal_transit.j2 @@ -0,0 +1,9 @@ +seal "transit" { + address = "{{ vault_transit_address }}" + token = "{{ vault_transit_token }}" + {% if (vault_transit_disable_renewal | bool) -%} + disable_renewal = "{{ vault_transit_disable_renewal }}" + {% endif -%} + key_name = "{{ vault_transit_key_name }}" + mount_path = "{{ vault_transit_mount_path }}" +}