Introducing KubeVault v2022.09.09
We are very excited to announce the release of KubeVault v2022.09.09 Edition. The KubeVault?v2022.09.09?contains numerous improvements from?KubeVault Operator?&?CLI?end. It includes features for managing Day-2 lifecycle of Vault including Vault?Ops-request,?Recommendation?generation for managing Vault TLS, updated?Health Checker,?KubeVault CLI, support for?Pod Disruption Budget, etc. for Vault Cluster.
KubeVault?is a Kubernetes operator for?HashiCorp Vault. The Vault is a tool for secrets management, encryption as a service, and privileged access management. The KubeVault operator makes it easy to deploy, maintain and manage Vault servers in Kubernetes. It also supports various secret engines management, policy management in the Kubernetes native way.
In this post, we are going to highlight the major changes. You can find the complete commit by commit changelog?here.
Vault Ops-requests
Managing Day-2 lifecycle of?Vault?is now even easier with newly added Vault?Ops-requests. This is convenient for managing/reconfiguring TLS for your Vault deployment. Now, it’s very easy to add, remove, reconfigure, rotate, etc. Vault TLS at your will.
Here’s a simple example of type?ReconfigureTLS?that reconfigures?server?certificates with the provided fields.
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
name: reconfigure-tls
namespace: demo
spec:
type: ReconfigureTLS
vaultRef:
name: vault
tls:
certificates:
- alias: server
subject:
organizations:
- appscode:kubevault
emailAddresses:
- "[email protected]"
KubeVault Recommendation Engine
Recommendation Engine generates recommendation to automate the day-2 life cycle of Kubernetes objects. KubeVault Recommendation Engine is a part of KubeVault operator which will run inside the KubeVault operator pod. It watches the Vault Server custom resources and generates recommendation based on the Vault Server state. Currently, Recommendation engine generates Rotate TLS recommendation for TLS secured Vault Server.
In this release, we have introduced the KubeVault Recommendation Engine to generate recommendations for vault resources. Currently, it will generate?Rotate TLS?ops-request recommendations depending on the TLS certificate expiry date. We have already introduced Supervisor to execute the recommendation in a user-defined maintenance window. To install the Supervisor helm chart, please visit?here.
To see the generated recommendations:
$ kubectl get recommendations.supervisor.appscode.com -A
Recommendation: Rotate TLS
By default, the recommendation engine will generate a Rotate TLS recommendation for the TLS secured vault before one month of the TLS certificate expiry date. But if the TLS certificate lifespan is less than one month, then it will generate the recommendation before half of the TLS certificate lifespan. Also while installing KubeVault, users can specify custom flags to configure the recommendation-engine to create Rotate TLS recommendations before a specific time of TLS certificate expiry date.
apiVersion: supervisor.appscode.com/v1alpha1
kind: Recommendation
metadata:
labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: kubevault.com
rotate-tls: rotate-tls
name: vault-x-vaultserver-x-rotate-tls-tthnu9
namespace: demo
spec:
backoffLimit: 5
description: TLS Certificate is going to be expire on 2022-12-04 05:34:37 +0000 UTC
operation:
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
name: rotate-tls-otxghu
namespace: demo
spec:
tls:
rotateCertificates: true
type: ReconfigureTLS
vaultRef:
name: vault
status: {}
recommender:
name: vault-operator
rules:
failed: has(self.status) && has(self.status.phase) && self.status.phase == 'Failed'
inProgress: has(self.status) && has(self.status.phase) && self.status.phase == 'Progressing'
success: has(self.status) && has(self.status.phase) && self.status.phase == 'Successful'
target:
apiGroup: kubevault.com/v1alpha2
kind: VaultServer
name: vault
$ helm install kubevault appscode/kubevault \
--version v2022.09.09 \
--namespace kubevault --create-namespace \
--set kubevault-ops-manager.recommendationEngine.genRotateTLSRecommendationBeforeExpiryMonth=2 \
--set-file global.license=/path/to/the/license.txt
With the above installation, the recommendation engine will generate recommendations before two months of the TLS certificate expiry date. To know more about the recommendation engine flags please visit?here.
Vault Health Checker
In this release, we’ve improved KubeVault health checks. We’ve added a new field called?healthChecker?under spec. It controls the behavior of health checks. It has the following fields:
领英推荐
Example YAML:
spec:
healthChecker:
periodSeconds: 10
timeoutSeconds: 10
failureThreshold: 3
disableWriteCheck: true
Pod Disruption Budget
A Pod Disruption Budget (PDB) allows you to limit the voluntary disruption to your application when its pods need to be rescheduled for some reason such as upgrades or routine maintenance work on the Kubernetes nodes.
Now, a?PDB?will also be created along with your?Vault?deployment & it’ll set a?maxUnavailable?pods value, so an eviction will be allowed if at most?maxUnavailable?pods selected by?selector?are unavailable after the eviction.
Rotate, Generate Vault root-token
KubeVault CLI?always focuses on improving user experience by automating tedious tasks associated with?Vault. This release is no exception.
Now, you can?Generate?&?Rotate?the Vault?root-token?using the?KubeVault CLI.
kubectl vault generate?command will generate a completely new?root-token?using the?unseal-keys. At least the threshold number of?unseal-keys?must be present for this operation to be successful.
# this will generate a new root-token using the available unseal-keys
# at least the threshold number of keys must be present for this to be successful
$ kubectl vault root-token generate vaultserver -n demo vault
root-token generation successful
generated root-token: hvs.oxEoWs355PYgfs1mv73cxOsc
kubectl vault rotate?command will rotate the?root-token?using the?unseal-keys. The?root-token?& at least the threshold number of?unseal-keys?must be present for this operation to be successful.
# this will rotate the root-token using the available unseal-keys
# old root-token privileges will be revoked after successfully rotating the token
$ kubectl vault root-token rotate vaultserver -n demo vault
root-token generation successful
root-token rotation successful
What’s Next?
Please try the latest release and give us your valuable feedback.
Support
To speak with us, please leave a message on?our website.
To receive product announcements, follow us on?Twitter.
If you have found a bug with KubeVault or want to request new features, please?file an issue.
PS: This article was initially published on?ByteBuilders Blog