Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Vault

This feature deploys Vault, a tool for securely managing secrets used in modern computing (e.g. passwords, certificates, API keys).

Enabling Vault

To enable Vault, run the following command:

sunbeam enable vault

Vault units will be in blocked state after this step.

Initialising Vault

To initialise Vault, run the following command:

sunbeam vault init KEY_SHARES KEY_THRESHOLD

KEY_SHARES - Number of key shares to be generated by vault

KEY_THRESHOLD - Minimal number of key shares to be used to unseal vault

Output of the above command with 5 key shares and 3 key threshold looks like:

Unseal keys:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
cccccccccccccccccccccccccccccccccccccccccccc
dddddddddddddddddddddddddddddddddddddddddddd
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Root token: fff.ffffffffffffffffffffffff

It is recommended to store each of the unseal keys and root token into different files
and keep them secure.

Unsealing Vault

To unseal Vault, run the following command:

cat <key file> | sunbeam vault unseal -

Unsealing the Vault requires minimum KEY_THRESHOLD keys to be provided to vault.
So the unseal command should be executed KEY_THRESHOLD times. This will unseal
the vault leader unit.

To unseal the non-leader units, repeat the unseal commands again.

For example, the process to unseal the Vault with 3 units, initialised with
5 key shares and 3 key threshold looks like:

Unseal leader unit

Unseal with the first key:

$ cat <aaa.. key file> | sunbeam vault unseal -
Vault unseal operation status: 2 key shares required to unseal

Unseal with the second key:

$ cat <bbb.. key file> | sunbeam vault unseal -
Vault unseal operation status: 1 key shares required to unseal

Unseal with the third key:

$ cat <ccc.. key file> | sunbeam vault unseal -
Vault unseal operation status: completed for leader unit.
Rerun `sunbeam vault unseal` command to unseal non-leader units.

The leader unit gets unsealed and non-leader units are in sealed state.

Unseal non-leader units

Now repeat the process to unseal non-leader units.
Unseal with the first key:

$ cat <aaa.. key file> | sunbeam vault unseal -
Vault unseal operation status:
vault/1 : 2 key shares required to unseal
vault/2 : 2 key shares required to unseal

Unseal with the second key:

$ cat <bbb.. key file> | sunbeam vault unseal -
Vault unseal operation status:
vault/1 : 1 key shares required to unseal
vault/2 : 1 key shares required to unseal

Unseal with the third key:

$ cat <ccc.. key file> | sunbeam vault unseal -
Vault unseal operation status: completed

Unsealing vault process completed.

Authorising Vault charm

To authorise vault charm, run the following command:

$ cat <root token file> | sunbeam vault authorize-charm -
Vault charm is authorized.

After 5 minutes (update-status-interval time), Juju status should show all units as active.

$ juju status -m openstack vault
Model      Controller          Cloud/Region               Version  SLA          Timestamp
openstack  sunbeam-controller  immune-drum-k8s/localhost  3.5.4    unsupported  07:12:02Z

SAAS       Status  Store  URL
microceph  active  local  admin/controller.microceph

App    Version  Status   Scale  Charm      Channel      Rev  Address         Exposed  Message
vault           active       3  vault-k8s  1.16/stable  280  10.152.183.222  no

Unit      Workload  Agent  Address       Ports  Message
vault/0*  active    idle   10.1.183.201
vault/1   active    idle   10.1.183.234
vault/2   active    idle   10.1.183.235

Offer                  Application            Charm                     Rev  Connected  Endpoint              Interface             Role
cert-distributor       keystone               keystone-k8s              211  2/2        send-ca-cert          certificate_transfer  provider
certificate-authority  certificate-authority  self-signed-certificates  155  1/1        certificates          tls-certificates      provider
cinder-ceph            cinder-ceph            cinder-ceph-k8s           94   1/1        ceph-access           cinder-ceph-key       provider
keystone-credentials   keystone               keystone-k8s              211  1/1        identity-credentials  keystone-credentials  provider
keystone-endpoints     keystone               keystone-k8s              211  1/1        identity-service      keystone              provider
nova                   nova                   nova-k8s                  106  1/1        nova-service          nova                  provider
ovn-relay              ovn-relay              ovn-relay-k8s             95   1/1        ovsdb-cms-relay       ovsdb-cms             provider
rabbitmq               rabbitmq               rabbitmq-k8s              34   1/1        amqp                  rabbitmq              provider
traefik-rgw            traefik-rgw            traefik-k8s               218  1/1        traefik-route         traefik_route         provider

Vault status

To see status of Vault, run the following command:

sunbeam vault status

Sample output of the above command looks like:

Unit Initialized Sealed
vault/0 True False
vault/1 True false
vault/2 True False

Disabling Vault

To disable Vault, run the following command:

sunbeam disable vault

Caution: Disabling Vault will completely remove it from the infrastructure, all secrets will be lost.

Last updated a month ago. Help improve this document in the forum.