hookpick is a tool to manage some operational concepts of Hashicorp Vault, specifically related to the painful process of unsealing, initialising and rekeying Vault.
You provide a configuration file with a map of “datacenters”. Each datacenter has a key and an array of hosts. hookpick will perform actions against each of those hosts as you need.
The name comes from a a Hook Pick, a tool used to pick locks. This tool is meant to to “unlock” the administration of Vault. Originally the tool was called locksmith, but it conflicted with locksmith.
It is currently considered Alpha, and may change drastically over time.
Originally, I wrote unseal which was specifically for unsealing a large number of Vault servers. However, it became apparent that operating on large numbers of Vaults is painful, especially when it comes to rekeying.
This tool is aimed at bridging the gap when it comes to administration and operation of large numbers of Vault servers.
Some of the advantages you might gain over using the Vault HTTP API or the standard Vault binary
- Zero touch interaction. Once you’ve written your yaml config, you can simply invoke the command and it’ll operate on the Vault servers you need to.
- Parallel execution. Each unseal command runs in a goroutine, meaning you can unseal multiple servers in a matter of seconds
Currently Unseal has the capability to:
- Query the status of all Vault servers configured
- Unseal all Vault servers configured, with a key specified.
You’ll need a configuration file. Unseal uses viper which means it supports JSON, yaml and hcl syntax.
The app will look for the config file in the following directories, in order:
.hookpick.yaml(in the directory you’re running the binary from)
An example configuratin file in yaml looks like this:
gpg: true datacenters: - hosts: - name: consulserver-1.example.dc1.com port: 8200 - name: consulserver-2.example.dc1.com port: 8200 keys: - key: <key1> - key: <key2> name: dc1 - hosts: - name: consulserver-1.example.dc2.com port: 8200 - name: consulserver-2.example.dc2.com port: 8200 keys: - key: <key1> - key: <key2> name: dc2
This can be converted to JSON or HCL as needed. Configuration options available are:
gpg- Boolean - Set to true if you init’d Vault with GPG support enabled
capath- String - The path to a directory containing CA certificates for all Vaults
datacenters- Array of maps - an array of datacenters with nested options
name- String - The name of the datacenters
keys- Array - contains keys:
key- String - The unseal key for that datacenter. Should be base64 encoded if the
gpgflag is set to true
hosts- Array - contains two config options:
name- String - Hostname of a Vault server
port- Int - The port that Vault server listens on
By default, hookpick will read some environment variables for your configuration. You can find them here
You can use some of these environment variables if you wish when using hookpick.
VAULT_CACERT: Set this to the path of a CA Cert you wish to use to verify the Vault connection. Note, this will use the same CA cert for all Vaults
VAULT_CAPATH: An alternative to the above CA Path config option.
VAULT_CLIENT_CERT: An SSL client cert to use when connecting to your Vaults. Note, this will use the same cert for all Vaults
VAULT_CLIENT_KEY: An SSL client key to use when connecting to your Vaults. Note, this will use the same key for all Vaults
VAULT_SKIP_VERIFY: Skip SSL verification. This is not recommended in production use.
If you want to contribute, we use glide for dependency management, so it should be as simple as:
- cloning this repo into
glide installfrom the directory
go build -o hookpick main.go