Adding support for auto-unseal with transit secrets engine

[phong2tran]

Every time Vault server is restarted through the deployment update, or BOSH resurrector, it's started up in a seal state. Vault server has to be unsealed manually via Vault cli or api before it can be used. We're running CF in our own data center (on-premises) and it looked like we can use the auto-unseal with transit secrets engine (https://learn.hashicorp.com/vault/operations/autounseal-transit) for automation of unseal operation, but this feature is only available in Vault v1.1 and second Vault cluster deployment is also required.

1. Is there a plan to upgrade Vault version to 1.1.3 any time soon?

2. Add options for configuring seal stanza with transit secrets engine for a Vault cluster to replace the default Shamir's secret sharing option for protecting the master key:

seal "transit" {
address = "http://127.0.0.1:8200"
disable_renewal = "false"
key_name = "autounseal"
mount_path = "transit/"
tls_skip_verify = "true"
}

3. Add options/scripts to configure a Vault cluster as auto-seal key provider.

https://learn.hashicorp.com/vault/operations/autounseal-transit#step-1-configure-auto-unseal-key-provider-vault-1-

[jhunt]

I recommend you look at the vault-boshrelease (https://github.com/cloudfoundry-community/vault-boshrelease), which is already at 1.1.3 of Vault, and natively supports arbitrary configuration.

[phong2tran]

Thanks for the answer @jhunt! We are evaluating and using this safe-boshrelease because it provides a "rock-solid" deployment of HA Vault cluster with Consul backend out-of-the-box. Not much work is needed! It looked like this BOSH release is not up to date in terms of Vault version and does not provide much custom configurations (intended!?) as the other Vault BOSH Release you suggested.

I noticed that there is not much information on how to deploy a Vault cluster with HA storage backend (Consul or Zookeeper) on https://github.com/cloudfoundry-community/vault-boshrelease. How much work needed to be done here? Do we have to separately deploy a standalone Consul cluster and then deploy Vault cluster using this Consul cluster as the backend storage?

[qmarc]

Vault is now at 1.2.0, any chance we can bump the version to the latest?