Name: vault-operator
Owner: CoreOS
Description: Run and manage Vault on Kubernetes simply and securely
Created: 2017-06-07 21:56:36.0
Updated: 2018-05-24 13:12:50.0
Pushed: 2018-04-30 20:05:11.0
Homepage: https://coreos.com/blog/introducing-vault-operator-project
Size: 568
Language: Go
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
The basic features have been completed, and while no breaking API changes are currently planned, the API can change in a backwards incompatible way before the project is declared stable.
The Vault operator deploys and manages Vault clusters on Kubernetes. Vault instances created by the Vault operator are highly available and support automatic failover and upgrade.
Consult the RBAC guide on how to configure RBAC for the Vault operator.
The Vault operator employs the etcd operator to deploy an etcd cluster as the storage backend.
Create the etcd operator Custom Resource Definitions (CRD):
ctl create -f example/etcd_crds.yaml
Deploy the etcd operator:
ctl -n default create -f example/etcd-operator-deploy.yaml
Create the Vault CRD:
ctl create -f example/vault_crd.yaml
Deploy the Vault operator:
ctl -n default create -f example/deployment.yaml
Verify that the operators are running:
kubectl -n default get deploy
ME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
cd-operator 1 1 1 1 5m
ult-operator 1 1 1 1 5m
A Vault cluster can be deployed by creating a VaultService Custom Resource(CR). For each Vault cluster the Vault operator will also create an etcd cluster for the storage backend.
Create a Vault CR that deploys a 2 node Vault cluster in high availablilty mode:
ctl -n default create -f example/example_vault.yaml
Wait until the example-... pods for the etcd and Vault cluster are up:
bectl -n default get pods
READY STATUS RESTARTS AGE
-operator-78899f87f6-qdn5h 3/3 Running 0 10m
ple-7678c8f49c-kfx2w 1/2 Running 0 2m
ple-7678c8f49c-pqrj8 1/2 Running 0 2m
ple-etcd-7lpjg7n76d 1/1 Running 0 2m
ple-etcd-dhxrksssgx 1/1 Running 0 2m
ple-etcd-s7mzhffz92 1/1 Running 0 2m
t-operator-5976f74f84-pxkf6 1/1 Running 0 10m
Get the Vault pods:
bectl -n default get pods -l app=vault,vault_cluster=example
READY STATUS RESTARTS AGE
ple-7678c8f49c-kfx2w 1/2 Running 0 2m
ple-7678c8f49c-pqrj8 1/2 Running 0 2m
Check the Vault CR status:
bectl -n default get vault example -o yaml
ersion: vault.security.coreos.com/v1alpha1
: VaultService
data:
name: example
namespace: default
...
:
nodes: 2
version: 0.9.1-0
...
us:
initialized: false
phase: Running
updatedNodes:
- example-7678c8f49c-kfx2w
- example-7678c8f49c-pqrj8
vaultStatus:
active: ""
sealed:
- example-7678c8f49c-kfx2w
- example-7678c8f49c-pqrj8
standby: null
...
The Vault CR status shows the cluster is currently uninitialized and sealed.
See the Vault usage guide on how to initialize, unseal, and use the deployed Vault cluster.
Consult the monitoring guide on how to monitor and alert on a Vault cluster with Prometheus.
See the recovery guide on how to backup and restore Vault cluster data using the etcd opeartor
For an overview of the default TLS configuration or how to specify custom TLS assets for a Vault cluster see the TLS setup guide.
Delete the Vault custom resource:
ctl -n default delete -f example/example_vault.yaml
Delete the operators and other resources:
ctl -n default delete deploy vault-operator etcd-operator
ctl -n default delete -f example/rbac.yaml