readme contains out of date information

Question

readme contains out of date information

Starttoaster opened this issue 2 years ago · comments

🌧 Describe the problem

If you have not, auto-unseal functionality for on-prem is currently only in enterprise

This is not correct anymore. You actually can do auto-unseal in on-prem Vault OSS. But it does require some configuration, and some resources in a cloud provider like GCP/AWS.

I have set up the open source Vault on-prem in kubernetes with auto-unseal configured to use a key and keyring managed in GCP.

To be clear, I still believe this tool has a purpose. I'm actually considering using it over GCP KMS just so I won't also have to maintain some terraform.

⛅ Expected behavior

This text should be updated. The "why" for this kind of a project would now be something more like, "If you want to maintain a Vault cluster on-prem with auto-unseal functionality without relying on any public cloud KMS assets."

🔄 Minimal reproduction

N/A

💠 Version: vault-unseal

master branch

🖥 Version: Operating system

other

⚙ Additional context

N/A

🤝 Requirements

I believe the problem I'm facing is a bug, and is not intended behavior. Post here if you're not sure.
I have confirmed that someone else has not submitted a similar bug report.

Liam Stanley · Answer 1 · Sat Jun 25 2022 09:06:07 GMT+0800 (China Standard Time)

Hmm, guess I'm not exactly sure what you mean -- using GCP/AWS/Azure resources for KMS wouldn't actually be on-prem. I.e. there are no on-prem only solutions that I'm aware of, unless you use enterprise, and hardware KMS. If that is correct, then I don't believe that statement is incorrect?

Liam Stanley · Answer 2 · Sat Jun 25 2022 09:08:19 GMT+0800 (China Standard Time)

Unrelated, but I am also planning on making a helm chart for this at some point, we're in the process of migrating various resources into AWS (previously we couldn't due to compliance).

StartToaster · Answer 3 · Sat Jun 25 2022 09:18:32 GMT+0800 (China Standard Time)

I guess it really depends what components you're referring to when you say "on prem."

If you mean the Vault cluster, that is what I'm running on prem. Of course the key management solution exists in public cloud, but that is a function external to Vault. So if your readme is actually saying, "there is no other way to run on-prem Vault with auto unseal where the Vault instances and the key manager are both on prem" then I guess it's technically correct and I misunderstood. In that case, it is in my opinion a bit misleading because I inferred you were actually saying there is no way to have an on-prem OSS Vault server with auto-unseal functionality at all without this tool.

StartToaster · Answer 4 · Sat Jun 25 2022 09:21:25 GMT+0800 (China Standard Time)

Unrelated, but I am also planning on making a helm chart for this at some point, we're in the process of migrating various resources into AWS (previously we couldn't due to compliance).

That would be cool. I actually already wrote one but I kind of sloppily put together helm charts since I usually expect I will be the only person to see them in my private gitlab group :)

StartToaster · Answer 5 · Sat Jun 25 2022 10:16:47 GMT+0800 (China Standard Time)

Since it appears you meant something more like "there is no on-prem solution for auto-unseal for on-prem OSS Vault." I'll close this Issue. I don't think it's really important that the readme is more clear on this subject, but the word choice is confusing.

Thanks for the tool! Read through most of the code, pretty neat. Would be cool if there were more notifiers (Slack, Discord, Keybase, etc) but that is wayyyyy out of scope for this Issue.

Liam Stanley · Answer 6 · Sat Jun 25 2022 10:33:48 GMT+0800 (China Standard Time)

I think since the project is geared towards a "Vault KMS replacement", personally feel like the readme is still quite clear, but I may go through and clean it up a bit more.

As far as notifications and improvements there, subscribe to this issue -- do plan to support quite a few more, primarily just waiting for the revamp when I work on the helm chart.

StartToaster · Answer 7 · Sat Jun 25 2022 10:54:31 GMT+0800 (China Standard Time)

It's extremely clear, depending on whether or not you view the auto-unseal functionality as part of Vault. If you view it as a function decoupled from Vault, it's hard to call it clear tbh.

auto-unseal functionality for on-prem is currently only in enterprise (for cloud, it is now in the OSS version)

This could be read as one of the following:

How I took it -- auto-unseal functionality for on-prem Vault is currently only in enterprise (for cloud, it is now in the OSS version)

or...

How you meant it -- on-prem auto-unseal functionality for on-prem Vault is currently only in enterprise (for cloud, it is now in the OSS version)

Anyway, if you don't see it, no biggy. Just confused me :)

Alexander Zaitsev · Answer 8 · Thu Jan 05 2023 18:35:34 GMT+0800 (China Standard Time)

Excuse me for the necroposting but I found the README also confusing. Now there is an option for the on-prem Vault to implement auto-unseal via Transit Secret Engine with another Vault cluster: https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-transit

Liam Stanley · Answer 9 · Mon Jan 09 2023 00:03:46 GMT+0800 (China Standard Time)

Please see the updated readme, and let me know if that's better.