Introducing KubeVault v2022.09.09

We are very excited to announce the release of KubeVault v2022.09.09 Edition. The KubeVault?v2022.09.09?contains numerous improvements from?KubeVault Operator?&?CLI?end. It includes features for managing Day-2 lifecycle of Vault including Vault?Ops-request,?Recommendation?generation for managing Vault TLS, updated?Health Checker,?KubeVault CLI, support for?Pod Disruption Budget, etc. for Vault Cluster.

• Install KubeVault

KubeVault?is a Kubernetes operator for?HashiCorp Vault. The Vault is a tool for secrets management, encryption as a service, and privileged access management. The KubeVault operator makes it easy to deploy, maintain and manage Vault servers in Kubernetes. It also supports various secret engines management, policy management in the Kubernetes native way.

In this post, we are going to highlight the major changes. You can find the complete commit by commit changelog?here.

Vault Ops-requests

Managing Day-2 lifecycle of?Vault?is now even easier with newly added Vault?Ops-requests. This is convenient for managing/reconfiguring TLS for your Vault deployment. Now, it’s very easy to add, remove, reconfigure, rotate, etc. Vault TLS at your will.

Here’s a simple example of type?ReconfigureTLS?that reconfigures?server?certificates with the provided fields.

apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
  name: reconfigure-tls
  namespace: demo
spec:
  type: ReconfigureTLS
  vaultRef:
    name: vault
  tls:
    certificates:
    - alias: server
      subject:
        organizations:
        - appscode:kubevault
      emailAddresses:
      - "[email protected]"        

KubeVault Recommendation Engine

Recommendation Engine generates recommendation to automate the day-2 life cycle of Kubernetes objects. KubeVault Recommendation Engine is a part of KubeVault operator which will run inside the KubeVault operator pod. It watches the Vault Server custom resources and generates recommendation based on the Vault Server state. Currently, Recommendation engine generates Rotate TLS recommendation for TLS secured Vault Server.

In this release, we have introduced the KubeVault Recommendation Engine to generate recommendations for vault resources. Currently, it will generate?Rotate TLS?ops-request recommendations depending on the TLS certificate expiry date. We have already introduced Supervisor to execute the recommendation in a user-defined maintenance window. To install the Supervisor helm chart, please visit?here.

To see the generated recommendations:

$ kubectl get recommendations.supervisor.appscode.com -A        

Recommendation: Rotate TLS

By default, the recommendation engine will generate a Rotate TLS recommendation for the TLS secured vault before one month of the TLS certificate expiry date. But if the TLS certificate lifespan is less than one month, then it will generate the recommendation before half of the TLS certificate lifespan. Also while installing KubeVault, users can specify custom flags to configure the recommendation-engine to create Rotate TLS recommendations before a specific time of TLS certificate expiry date.

apiVersion: supervisor.appscode.com/v1alpha1
kind: Recommendation
metadata:
  labels:
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: kubevault.com
    rotate-tls: rotate-tls
  name: vault-x-vaultserver-x-rotate-tls-tthnu9
  namespace: demo
spec:
  backoffLimit: 5
  description: TLS Certificate is going to be expire on 2022-12-04 05:34:37 +0000 UTC
  operation:
    apiVersion: ops.kubevault.com/v1alpha1
    kind: VaultOpsRequest
    metadata:
      name: rotate-tls-otxghu
      namespace: demo
    spec:
      tls:
        rotateCertificates: true
      type: ReconfigureTLS
      vaultRef:
        name: vault
    status: {}
  recommender:
    name: vault-operator
  rules:
    failed: has(self.status) && has(self.status.phase) && self.status.phase == 'Failed'
    inProgress: has(self.status) && has(self.status.phase) && self.status.phase == 'Progressing'
    success: has(self.status) && has(self.status.phase) && self.status.phase == 'Successful'
  target:
    apiGroup: kubevault.com/v1alpha2
    kind: VaultServer
    name: vault         

$ helm install kubevault appscode/kubevault \

    --version v2022.09.09 \
    --namespace kubevault --create-namespace \
    --set kubevault-ops-manager.recommendationEngine.genRotateTLSRecommendationBeforeExpiryMonth=2 \
    --set-file global.license=/path/to/the/license.txt
            

With the above installation, the recommendation engine will generate recommendations before two months of the TLS certificate expiry date. To know more about the recommendation engine flags please visit?here.

Vault Health Checker

In this release, we’ve improved KubeVault health checks. We’ve added a new field called?healthChecker?under spec. It controls the behavior of health checks. It has the following fields:

• spec.healthChecker.periodSeconds?: Specifies the interval between each health check iteration.
• spec.healthChecker.timeoutSeconds?: Specifies the timeout for each health check iteration.
• spec.healthChecker.failureThreshold?: Specifies the number of consecutive failures to mark the Vault as NotReady.
• spec.healthChecker.disableWriteCheck?: KubeVault does write check by default, but if you want to disable it, you can use this field.

Example YAML:

spec:
  healthChecker:
    periodSeconds: 10
    timeoutSeconds: 10
    failureThreshold: 3
    disableWriteCheck: true        

Pod Disruption Budget

A Pod Disruption Budget (PDB) allows you to limit the voluntary disruption to your application when its pods need to be rescheduled for some reason such as upgrades or routine maintenance work on the Kubernetes nodes.

Now, a?PDB?will also be created along with your?Vault?deployment & it’ll set a?maxUnavailable?pods value, so an eviction will be allowed if at most?maxUnavailable?pods selected by?selector?are unavailable after the eviction.

Rotate, Generate Vault root-token

KubeVault CLI?always focuses on improving user experience by automating tedious tasks associated with?Vault. This release is no exception.

Now, you can?Generate?&?Rotate?the Vault?root-token?using the?KubeVault CLI.

kubectl vault generate?command will generate a completely new?root-token?using the?unseal-keys. At least the threshold number of?unseal-keys?must be present for this operation to be successful.

# this will generate a new root-token using the available unseal-keys
# at least the threshold number of keys must be present for this to be successful
$ kubectl vault root-token generate vaultserver -n demo vault

root-token generation successful
generated root-token: hvs.oxEoWs355PYgfs1mv73cxOsc        

kubectl vault rotate?command will rotate the?root-token?using the?unseal-keys. The?root-token?& at least the threshold number of?unseal-keys?must be present for this operation to be successful.

# this will rotate the root-token using the available unseal-keys
# old root-token privileges will be revoked after successfully rotating the token
$ kubectl vault root-token rotate vaultserver -n demo vault

root-token generation successful
root-token rotation successful        

What’s Next?

Please try the latest release and give us your valuable feedback.

• If you want to install KubeVault, please follow the installation instruction from?here.

Support

To speak with us, please leave a message on?our website.

To receive product announcements, follow us on?Twitter.

If you have found a bug with KubeVault or want to request new features, please?file an issue.

PS: This article was initially published on?ByteBuilders Blog