hookpick is a tool to manage some operational concepts of Hashicorp Vault, specifically related to the painful process of unsealing, initialising and rekeying Vault.
You provide a configuration file with a map of "datacenters". Each datacenter has a key and an array of hosts. hookpick will perform actions against each of those hosts as you need.
The name comes from a a Hook Pick, a tool used to pick locks. This tool is meant to to "unlock" the administration of Vault. Originally the tool was called locksmith, but it conflicted with locksmith.
It is currently considered Alpha, and may change drastically over time.
Originally, I wrote unseal which was specifically for unsealing a large number of Vault servers. However, it became apparent that operating on large numbers of Vaults is painful, especially when it comes to rekeying.
This tool is aimed at bridging the gap when it comes to administration and operation of large numbers of Vault servers.
Some of the advantages you might gain over using the Vault HTTP API or the standard Vault binary
- Zero touch interaction. Once you've written your yaml config, you can simply invoke the command and it'll operate on the Vault servers you need to.
- Parallel execution. Each unseal command runs in a goroutine, meaning you can unseal multiple servers in a matter of seconds
Currently Unseal has the capability to:
- Query the status of all Vault servers configured
- Unseal all Vault servers configured, with a key specified.
You'll need a configuration file. Unseal uses viper which means it supports JSON, yaml and hcl syntax.
The app will look for the config file in the following directories, in order:
$HOME/.hookpick.yaml
.hookpick.yaml
(in the directory you're running the binary from)
An example configuration file in yaml looks like this:
gpg: true
datacenters:
- hosts:
- name: consulserver-1.example.dc1.com
port: 8200
- name: consulserver-2.example.dc1.com
port: 8200
keys:
- key: <key1>
- key: <key2>
name: dc1
- hosts:
- name: consulserver-1.example.dc2.com
port: 8200
- name: consulserver-2.example.dc2.com
port: 8200
keys:
- key: <key1>
- key: <key2>
name: dc2
This can be converted to JSON or HCL as needed. Configuration options available are:
gpg
- Boolean - Set to true if you init'd Vault with GPG support enabledcapath
- String - The path to a directory containing CA certificates for all Vaultsprotocol
- String - The HTTP protocol to use when connecting to vaults (default:https
)datacenters
- Array of maps - an array of datacenters with nested optionsname
- String - The name of the datacenterskeys
- Array - contains keys:key
- String - The unseal key for that datacenter. Should be base64 encoded if thegpg
flag is set to true
hosts
- Array - contains two config options:name
- String - Hostname of a Vault serverport
- Int - The port that Vault server listens on
By default, hookpick will read some environment variables for your configuration. You can find them here
You can use some of these environment variables if you wish when using hookpick.
VAULT_CACERT
: Set this to the path of a CA Cert you wish to use to verify the Vault connection. Note, this will use the same CA cert for all VaultsVAULT_CAPATH
: An alternative to the above CA Path config option.VAULT_CLIENT_CERT
: An SSL client cert to use when connecting to your Vaults. Note, this will use the same cert for all VaultsVAULT_CLIENT_KEY
: An SSL client key to use when connecting to your Vaults. Note, this will use the same key for all VaultsVAULT_SKIP_VERIFY
: Skip SSL verification. This is not recommended in production use.
If you want to contribute, we use glide for dependency management, so it should be as simple as:
- cloning this repo into
$GOPATH/src/github.com/jaxxstorm/hookpick
- install glide if needed:
curl https://glide.sh/get | sh
- run
glide install
from the directory - run
go build -o hookpick main.go