New to KubeVault? Please start here.

VaultOpsRequest

What is VaultOpsRequest

VaultOpsRequest is a Kubernetes Custom Resource Definitions (CRD). It provides a declarative configuration for Vault administrative operations like restart, reconfigure TLS etc. in a Kubernetes native way.

VaultOpsRequest CRD Specifications

Like any official Kubernetes resource, a VaultOpsRequest has TypeMeta, ObjectMeta, Spec and Status sections.

Here, some sample VaultOpsRequest CRs for different administrative operations is given below:

Sample VaultOpsRequest for restarting VaultServer:

apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
  name: restart-vault-request
  namespace: demo
spec:
  restart: {}
  type: Restart
  vaultRef:
    name: vault
status:
  conditions:
  - lastTransitionTime: "2022-12-04T09:27:07Z"
    message: Vault ops request is restarting nodes
    observedGeneration: 1
    reason: Restart
    status: "True"
    type: Restart
  - lastTransitionTime: "2022-12-04T09:29:23Z"
    message: Successfully restarted all nodes
    observedGeneration: 1
    reason: RestartNodes
    status: "True"
    type: RestartNodes
  - lastTransitionTime: "2022-12-04T09:29:23Z"
    message: Successfully completed the modification process.
    observedGeneration: 1
    reason: Successful
    status: "True"
    type: Successful
  observedGeneration: 1
  phase: Successful

Sample VaultOpsRequest Objects for Reconfiguring TLS of the VaultServer:

apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
  name: vault-ops-add-tls
  namespace: demo
spec:
  type: ReconfigureTLS
  vaultRef:
    name: vault
  tls:
    issuerRef:
      name: vault-issuer
      kind: Issuer
      apiGroup: "cert-manager.io"
    certificates:
      - alias: client
        emailAddresses:
          - [email protected]
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
  name: vault-ops-rotate
  namespace: demo
spec:
  type: ReconfigureTLS
  vaultRef:
    name: vault
  tls:
    rotateCertificates: true
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
  name: vault-ops-change-issuer
  namespace: demo
spec:
  type: ReconfigureTLS
  vaultRef:
    name: vault
  tls:
    issuerRef:
      name: vault-new-issuer
      kind: Issuer
      apiGroup: "cert-manager.io"
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
  name: vault-ops-remove
  namespace: demo
spec:
  type: ReconfigureTLS
  vaultRef:
    name: vault
  tls:
    remove: true

Here, we are going to describe the various sections of a VaultOpsRequest crd.

A VaultOpsRequest object has the following fields in the spec section.

spec.vaultRef

spec.vaultRef is a required field that point to the Vault object for which the administrative operations will be performed. This field consists of the following sub-field:

  • spec.databaseRef.name : specifies the name of the Vault object.

spec.type

spec.type specifies the kind of operation that will be applied to the VaultServer. Currently, the following types of operations are allowed in VaultOpsRequest.

  • Restart
  • ReconfigureTLS

You can perform only one type of operation on a single VaultOpsRequest CR. You should not create two VaultOpsRequest simultaneously.

spec.tls

If you want to reconfigure the TLS configuration of your VaultServer i.e. add TLS, remove TLS, update issuer/cluster issuer or Certificates and rotate the certificates, you have to specify spec.tls section. This field consists of the following sub-field:

  • spec.tls.issuerRef specifies the issuer name, kind and api group.
  • spec.tls.certificates specifies the certificates.
  • spec.tls.rotateCertificates specifies that we want to rotate the certificate of this VaultServer.
  • spec.tls.remove specifies that we want to remove tls from this VaultServer.

VaultOpsRequest Status

.status describes the current state and progress of a VautlOpsRequest operation. It has the following fields:

status.phase

status.phase indicates the overall phase of the operation for this VaultOpsRequest. It can have the following three values:

PhaseMeaning
SuccessfulKubeVault has successfully performed the operation requested in the VaultOpsRequest
FailedKubeVault has failed the operation requested in the VaultOpsRequest
DeniedKubeVault has denied the operation requested in the VaultOpsRequest

status.observedGeneration

status.observedGeneration shows the most recent generation observed by the VaultOpsRequest controller.

status.conditions

status.conditions is an array that specifies the conditions of different steps of VaultOpsRequest processing. Each condition entry has the following fields:

  • types specifies the type of the condition. VaultOpsRequest has the following types of conditions:
TypeMeaning
ProgressingSpecifies that the operation is now in the progressing state
SuccessfulSpecifies such a state that the operation on the vault was successful.
ResumeVaultServerSpecifies such a state that the vault is resumed by the operator
FailedSpecifies such a state that the operation on the database failed.
UpdateStatefulSetResourcesSpecifies such a state that the Statefulset resources has been updated
RestartNodesSpecifies whether the vault nodes has been restarted or not
CertificateSyncedSpecifies whether the certificates has been synced across all the vault nodes
  • The status field is a string, with possible values True, False, and Unknown.
    • status will be True if the current transition succeeded.
    • status will be False if the current transition failed.
    • status will be Unknown if the current transition was denied.
  • The message field is a human-readable message indicating details about the condition.
  • The reason field is a unique, one-word, CamelCase reason for the condition’s last transition.
  • The lastTransitionTime field provides a timestamp for when the operation last transitioned from one state to another.
  • The observedGeneration shows the most recent condition transition generation observed by the controller.