Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding vault poststart hook/configs #252

Closed
wants to merge 1 commit into from
Closed

Adding vault poststart hook/configs #252

wants to merge 1 commit into from

Conversation

rohitrsh
Copy link

@rohitrsh rohitrsh commented Apr 8, 2020

@jasonodonnell as discussed in #251 adding PR. This performs following tasks.

  • Check vault status before execution
  • Vault init and unseal it - It can be enabled/disables using values.yaml
  • Enable ldap auth - This is also can be enabled/disabled using values.yaml

More auth modes can be control and added using vault-config.sh currently it supports ldap only.

@hashicorp-cla
Copy link

hashicorp-cla commented Apr 8, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@jasonodonnell
Copy link
Contributor

Hi @rohitrsh, my apologies but there seems to be some confusion about what we talked about. What I was referring to was the lifeCycle management hooks built into K8s, specifically postStart which will run after the pod is ready: https://github.com/hashicorp/vault-helm/blob/master/templates/server-statefulset.yaml#L128-L133

This job is useful, however, at this time we're not looking to automate initialization. Instead this PR should be focused on adding postStart so that users can optionally add these types of scripts to their install if they wish to automate it.

@rohitrsh
Copy link
Author

rohitrsh commented Apr 8, 2020

Hi @jasonodonnell ,

Initially i tried with postStart lifeCycle hook. To make this work we might need to update the vault statefulset readiness check here

vault-helm/templates/server-statefulset.yaml

Line 109 in 2b137c9

command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]

Because till the time its not pass pod status will be 0/1 and postStart hook won't execute until we need to login in pod and initialised the vault. postStart hook waits for the pod pass all the checks and come up 1/1

I do not wanted make changes in the healthcheck thats why I choose this do be done using helm post-install hook.

If its fine to change the healthcheck to the port 8200, Same script can be used in lifeCycle hook.

Let me know your thought on that.

@jasonodonnell
Copy link
Contributor

@rohitrsh if you use the HTTP check instead, you can make it go ready depending on different criteria:

server:
  readinessProbe:
    enabled: true
    path: /v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204

This will make Vault report ready even if it's sealed or uninitialized (liveliness probe can be changed to report different status).

@rohitrsh
Copy link
Author

rohitrsh commented Apr 8, 2020

@jasonodonnell, cool that just tested that worked. One quick question I have how we are planning to pass the postStart commands. via script mapped in configMap?

@jasonodonnell
Copy link
Contributor

jasonodonnell commented Apr 8, 2020
edited
Loading

@rohitrsh This can already be done via the extraVolumes value. You define a configmap that contains the script, it will be mounted to /vault/userconfig/<name of configmap>/myscript.sh, and you would configure the postStart value to run that script. Hope that makes sense!

server:
  postStart: 
    command: ["/vault/userconfig/myinitconfigmap/myscript.sh"]

@pcman312 pcman312 added the enhancement New feature or request label Apr 13, 2020
@rohitrsh
Copy link
Author

@jasonodonnell, Not sure which approach is good to have here pod lifecycle hooks or helm hooks.

The major problem I could see with PostStart approach if PostStart script got stuck due to mis-config or any other reason pod will get stuck in PodInitializing status forever. In this status pod wont stdtout anything hence its very difficult to troubleshoot. (This I have faced very recently with one of the HELM chart I am working on).

Wherein with helm hook we are letting the vault pod come up without distributing its startup and watching it through job, as soon as its up. Job will start performing the tasks written in the script. Also user can manage this the same way current PostStart script is proposed. If there is nothing in that script job pod will echo nothing and gracefully exit.

With this approach if vault pod gets stuck or job script is having any issue it can be easily troubleshoot. Most important, users custom script will not have any impact on vault pod startup.

Let me know your thought on it.

@jasonodonnell
Copy link
Contributor

Hi @rohitrsh,

I think supporting helm hooks would be good too, but I'm closing this PR for now since #315 was merged to implement postStart.

Perhaps we can open a new issue about adding Helm hook support if this is something you think would be valuable?

MadsHT pushed a commit to Open-Olympus-Project/tooling-vault that referenced this pull request May 17, 2021
copying a vault pr hashicorp/vault-helm#252
9a71154
@rg13567
Copy link

rg13567 commented Nov 14, 2021

@rohitrsh I am looking for same solution where i can perform vault init ,unseal and ldap config as part of vault deployment with helm.
Can you please share how did you achieve it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rohitrsh @hashicorp-cla @jasonodonnell @rg13567 @pcman312