readme contains out of date information #15
Comments
|
Hmm, guess I'm not exactly sure what you mean -- using GCP/AWS/Azure resources for KMS wouldn't actually be on-prem. I.e. there are no on-prem only solutions that I'm aware of, unless you use enterprise, and hardware KMS. If that is correct, then I don't believe that statement is incorrect? |
|
Unrelated, but I am also planning on making a helm chart for this at some point, we're in the process of migrating various resources into AWS (previously we couldn't due to compliance). |
|
I guess it really depends what components you're referring to when you say "on prem." If you mean the Vault cluster, that is what I'm running on prem. Of course the key management solution exists in public cloud, but that is a function external to Vault. So if your readme is actually saying, "there is no other way to run on-prem Vault with auto unseal where the Vault instances and the key manager are both on prem" then I guess it's technically correct and I misunderstood. In that case, it is in my opinion a bit misleading because I inferred you were actually saying there is no way to have an on-prem OSS Vault server with auto-unseal functionality at all without this tool. |
That would be cool. I actually already wrote one but I kind of sloppily put together helm charts since I usually expect I will be the only person to see them in my private gitlab group :) |
|
Since it appears you meant something more like "there is no on-prem solution for auto-unseal for on-prem OSS Vault." I'll close this Issue. I don't think it's really important that the readme is more clear on this subject, but the word choice is confusing. Thanks for the tool! Read through most of the code, pretty neat. Would be cool if there were more notifiers (Slack, Discord, Keybase, etc) but that is wayyyyy out of scope for this Issue. |
|
I think since the project is geared towards a "Vault KMS replacement", personally feel like the readme is still quite clear, but I may go through and clean it up a bit more. As far as notifications and improvements there, subscribe to this issue -- do plan to support quite a few more, primarily just waiting for the revamp when I work on the helm chart. |
|
It's extremely clear, depending on whether or not you view the auto-unseal functionality as part of Vault. If you view it as a function decoupled from Vault, it's hard to call it clear tbh.
This could be read as one of the following: How I took it -- or... How you meant it -- Anyway, if you don't see it, no biggy. Just confused me :) |
|
Excuse me for the necroposting but I found the README also confusing. Now there is an option for the on-prem Vault to implement auto-unseal via Transit Secret Engine with another Vault cluster: https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-transit |
|
Please see the updated readme, and let me know if that's better. |
🌧 Describe the problem
This is not correct anymore. You actually can do auto-unseal in on-prem Vault OSS. But it does require some configuration, and some resources in a cloud provider like GCP/AWS.
I have set up the open source Vault on-prem in kubernetes with auto-unseal configured to use a key and keyring managed in GCP.
To be clear, I still believe this tool has a purpose. I'm actually considering using it over GCP KMS just so I won't also have to maintain some terraform.
⛅ Expected behavior
This text should be updated. The "why" for this kind of a project would now be something more like, "If you want to maintain a Vault cluster on-prem with auto-unseal functionality without relying on any public cloud KMS assets."
🔄 Minimal reproduction
N/A
💠 Version: vault-unseal
master branch
🖥 Version: Operating system
other
⚙ Additional context
N/A
🤝 Requirements
The text was updated successfully, but these errors were encountered: