New to KubeVault? Please start here.
VaultOpsRequest
What is VaultOpsRequest
VaultOpsRequest is a Kubernetes Custom Resource Definitions (CRD). It provides a declarative configuration for Vault administrative operations like restart, reconfigure TLS etc. in a Kubernetes native way.
VaultOpsRequest CRD Specifications
Like any official Kubernetes resource, a VaultOpsRequest has TypeMeta, ObjectMeta, Spec and Status sections.
Here, some sample VaultOpsRequest CRs for different administrative operations is given below:
Sample VaultOpsRequest for restarting VaultServer:
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
name: restart-vault-request
namespace: demo
spec:
restart: {}
type: Restart
vaultRef:
name: vault
status:
conditions:
- lastTransitionTime: "2022-12-04T09:27:07Z"
message: Vault ops request is restarting nodes
observedGeneration: 1
reason: Restart
status: "True"
type: Restart
- lastTransitionTime: "2022-12-04T09:29:23Z"
message: Successfully restarted all nodes
observedGeneration: 1
reason: RestartNodes
status: "True"
type: RestartNodes
- lastTransitionTime: "2022-12-04T09:29:23Z"
message: Successfully completed the modification process.
observedGeneration: 1
reason: Successful
status: "True"
type: Successful
observedGeneration: 1
phase: Successful
Sample VaultOpsRequest Objects for Reconfiguring TLS of the VaultServer:
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
name: vault-ops-add-tls
namespace: demo
spec:
type: ReconfigureTLS
vaultRef:
name: vault
tls:
issuerRef:
name: vault-issuer
kind: Issuer
apiGroup: "cert-manager.io"
certificates:
- alias: client
emailAddresses:
- [email protected]
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
name: vault-ops-rotate
namespace: demo
spec:
type: ReconfigureTLS
vaultRef:
name: vault
tls:
rotateCertificates: true
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
name: vault-ops-change-issuer
namespace: demo
spec:
type: ReconfigureTLS
vaultRef:
name: vault
tls:
issuerRef:
name: vault-new-issuer
kind: Issuer
apiGroup: "cert-manager.io"
apiVersion: ops.kubevault.com/v1alpha1
kind: VaultOpsRequest
metadata:
name: vault-ops-remove
namespace: demo
spec:
type: ReconfigureTLS
vaultRef:
name: vault
tls:
remove: true
Here, we are going to describe the various sections of a VaultOpsRequest crd.
A VaultOpsRequest object has the following fields in the spec section.
spec.vaultRef
spec.vaultRef is a required field that point to the Vault object for which the administrative operations will be performed. This field consists of the following sub-field:
spec.databaseRef.name: specifies the name of theVaultobject.
spec.type
spec.type specifies the kind of operation that will be applied to the VaultServer. Currently, the following types of operations are allowed in VaultOpsRequest.
- Restart
- ReconfigureTLS
You can perform only one type of operation on a single VaultOpsRequest CR. You should not create two VaultOpsRequest simultaneously.
spec.tls
If you want to reconfigure the TLS configuration of your VaultServer i.e. add TLS, remove TLS, update issuer/cluster issuer or Certificates and rotate the certificates, you have to specify spec.tls section. This field consists of the following sub-field:
spec.tls.issuerRefspecifies the issuer name, kind and api group.spec.tls.certificatesspecifies the certificates.spec.tls.rotateCertificatesspecifies that we want to rotate the certificate of thisVaultServer.spec.tls.removespecifies that we want to remove tls from thisVaultServer.
VaultOpsRequest Status
.status describes the current state and progress of a VautlOpsRequest operation. It has the following fields:
status.phase
status.phase indicates the overall phase of the operation for this VaultOpsRequest. It can have the following three values:
| Phase | Meaning |
|---|---|
| Successful | KubeVault has successfully performed the operation requested in the VaultOpsRequest |
| Failed | KubeVault has failed the operation requested in the VaultOpsRequest |
| Denied | KubeVault has denied the operation requested in the VaultOpsRequest |
status.observedGeneration
status.observedGeneration shows the most recent generation observed by the VaultOpsRequest controller.
status.conditions
status.conditions is an array that specifies the conditions of different steps of VaultOpsRequest processing. Each condition entry has the following fields:
typesspecifies the type of the condition.VaultOpsRequesthas the following types of conditions:
| Type | Meaning |
|---|---|
Progressing | Specifies that the operation is now in the progressing state |
Successful | Specifies such a state that the operation on the vault was successful. |
ResumeVaultServer | Specifies such a state that the vault is resumed by the operator |
Failed | Specifies such a state that the operation on the database failed. |
UpdateStatefulSetResources | Specifies such a state that the Statefulset resources has been updated |
RestartNodes | Specifies whether the vault nodes has been restarted or not |
CertificateSynced | Specifies whether the certificates has been synced across all the vault nodes |
- The
statusfield is a string, with possible valuesTrue,False, andUnknown.statuswill beTrueif the current transition succeeded.statuswill beFalseif the current transition failed.statuswill beUnknownif the current transition was denied.
- The
messagefield is a human-readable message indicating details about the condition. - The
reasonfield is a unique, one-word, CamelCase reason for the condition’s last transition. - The
lastTransitionTimefield provides a timestamp for when the operation last transitioned from one state to another. - The
observedGenerationshows the most recent condition transition generation observed by the controller.