jaxxstorm / hookpick Goto Github PK

A tool to manage some operational concepts of Hashicorp Vault

License: MIT License

Go 98.45% Dockerfile 1.55%

vault hashicorp hashicorp-vault consul golang

hookpick's Introduction

hookpick

hookpick is a tool to manage some operational concepts of Hashicorp Vault, specifically related to the painful process of unsealing, initialising and rekeying Vault.

You provide a configuration file with a map of "datacenters". Each datacenter has a key and an array of hosts. hookpick will perform actions against each of those hosts as you need.

The name comes from a a Hook Pick, a tool used to pick locks. This tool is meant to to "unlock" the administration of Vault. Originally the tool was called locksmith, but it conflicted with locksmith.

It is currently considered Alpha, and may change drastically over time.

Why?

Originally, I wrote unseal which was specifically for unsealing a large number of Vault servers. However, it became apparent that operating on large numbers of Vaults is painful, especially when it comes to rekeying.

This tool is aimed at bridging the gap when it comes to administration and operation of large numbers of Vault servers.

Features

Some of the advantages you might gain over using the Vault HTTP API or the standard Vault binary

Zero touch interaction. Once you've written your yaml config, you can simply invoke the command and it'll operate on the Vault servers you need to.
Parallel execution. Each unseal command runs in a goroutine, meaning you can unseal multiple servers in a matter of seconds

Currently Unseal has the capability to:

Query the status of all Vault servers configured
Unseal all Vault servers configured, with a key specified.

Usage

You'll need a configuration file. Unseal uses viper which means it supports JSON, yaml and hcl syntax.

The app will look for the config file in the following directories, in order:

$HOME/.hookpick.yaml
.hookpick.yaml (in the directory you're running the binary from)

An example configuration file in yaml looks like this:

gpg: true
datacenters:
- hosts:
  - name: consulserver-1.example.dc1.com
    port: 8200
  - name: consulserver-2.example.dc1.com
    port: 8200
  keys:
  - key: <key1>
  - key: <key2>
  name: dc1
- hosts:
  - name: consulserver-1.example.dc2.com
    port: 8200
  - name: consulserver-2.example.dc2.com
    port: 8200
  keys:
  - key: <key1>
  - key: <key2>
  name: dc2

This can be converted to JSON or HCL as needed. Configuration options available are:

gpg - Boolean - Set to true if you init'd Vault with GPG support enabled
capath - String - The path to a directory containing CA certificates for all Vaults
protocol - String - The HTTP protocol to use when connecting to vaults (default: https)
datacenters - Array of maps - an array of datacenters with nested options
- name - String - The name of the datacenters
- keys - Array - contains keys:
  - key - String - The unseal key for that datacenter. Should be base64 encoded if the gpg flag is set to true
- hosts - Array - contains two config options:
  - name - String - Hostname of a Vault server
  - port - Int - The port that Vault server listens on

Environment Variables

By default, hookpick will read some environment variables for your configuration. You can find them here

You can use some of these environment variables if you wish when using hookpick.

VAULT_CACERT: Set this to the path of a CA Cert you wish to use to verify the Vault connection. Note, this will use the same CA cert for all Vaults
VAULT_CAPATH: An alternative to the above CA Path config option.
VAULT_CLIENT_CERT: An SSL client cert to use when connecting to your Vaults. Note, this will use the same cert for all Vaults
VAULT_CLIENT_KEY: An SSL client key to use when connecting to your Vaults. Note, this will use the same key for all Vaults
VAULT_SKIP_VERIFY: Skip SSL verification. This is not recommended in production use.

Building

If you want to contribute, we use Go Modules for dependency management, so it should be as simple as:

cloning this repo into $GOPATH/src/github.com/jaxxstorm/hookpick
run go get -u from the directory
run go mod tidy from the directory
run go build -o hookpick main.go

Building Docker Image

If you want to build the Docker image:

cloning this repo into $GOPATH/src/github.com/jaxxstorm/hookpick
run docker build -t hookpick . from the directory

You should have a tiny image hookpick which is less than 5 Mb.

For using it :

Create you configfile .hookpick.yaml
Run docker command docker run -v $(pwd)/.hookpick.yaml:/.hookpick.yaml:ro hookpick status

Nota: you can change status by one of the program command. (unseal if omited)

hookpick's People

Contributors

Stargazers

Watchers

Forkers

lmeyemezu rhoml jpasko1 harshc golang-alex-alex2006hw greyspectrum erleene flaviod jgearheart vulturm bartleboeuf mikroskeem matviienko

hookpick's Issues

Allow configuration var to only loop through a specific DC

Currently, the configuration will read unmarshal the whole DC map and then iterate over everything.

Add a flag that will allow specifying a DC and then only loop through that.

cannot find package "github.com/jaxxstorm/hookpick/cmd"

Hey, just trying to build & test this neat looking tool! Following the README and got stuck at the build step:

cd $GOPATH/src
git clone https://github.com/jaxxstorm/hookpick.git
cd hookpick
curl https://glide.sh/get | sh
glide
go build -o hookpick main.go

    main.go:23:8: cannot find package "github.com/jaxxstorm/hookpick/cmd" in any of:
	[GOPATH]/src/hookpick/vendor/github.com/jaxxstorm/hookpick/cmd (vendor tree)
	[GOROOT]/src/github.com/jaxxstorm/hookpick/cmd (from $GOROOT)
	[GOPATH]/src/github.com/jaxxstorm/hookpick/cmd (from $GOPATH)

This is because main.go imports github.com/jaxxstorm/hookpick/cmd and not ./cmd, right? Should I be building with a different command?

Side note, make build fails too because I don't have goxc installed, this will be the next issue to solve.

Switch to goreleaser

goxc isn't support any more, so we should switch to goreleaser!

panic: runtime error: invalid memory address or nil pointer dereference

Just a heads up, received this when a node wasn't running, v0.2.1 on amd64/linux. Consistently does it when a connection error occurs (i/o timeout, connection refused, etc).

Also, check out https://github.com/lrstanley/vault-unseal -- this is useful for one-offs, but isn't useful for unsealing at more of an on-going basis, in a more secured manor.

$ ./hookpick unseal
INFO[0000] Vault is unsealed!                            host=vault-node-s02.domain.com progress=0 threshold=3
INFO[0000] Vault is unsealed!                            host=vault-node-s03.domain.com progress=0 threshold=3
ERRO[0030] Get https://vault-node-s01.domain.com:8200/v1/sys/init: dial tcp 1.2.3.4:8200: i/o timeout  host="https://vault-node-s01.domain.com:8200"
ERRO[0060] Get https://vault-node-s01.domain.com:8200/v1/sys/seal-status: dial tcp 1.2.3.4:8200: i/o timeout  host="https://vault-node-s01.domain.com:8200"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x755495]

goroutine 5 [running]:
github.com/jaxxstorm/hookpick/vault.Status(0xc42019c000, 0x1d)
        /home/travis/gopath/src/github.com/jaxxstorm/hookpick/vault/status.go:24 +0x95
github.com/jaxxstorm/hookpick/cmd.glob..func5.1(0xc4200174f0, 0x0, 0x0, 0xc4201139a0, 0xc420014920, 0x1d, 0x2008)
        /home/travis/gopath/src/github.com/jaxxstorm/hookpick/cmd/unseal.go:78 +0xd4
created by github.com/jaxxstorm/hookpick/cmd.glob..func5
        /home/travis/gopath/src/github.com/jaxxstorm/hookpick/cmd/unseal.go:70 +0x4d2