NO-JIRA: Support multiple Vault instance deployment

ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh

@@ -3,93 +3,107 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
-echo "========================================="
-echo "Vault Configuration for KMS"
-echo "========================================="
-echo "Namespace: ${VAULT_NAMESPACE}"
-echo "Vault Enterprise NS: ${VAULT_ENTERPRISE_NS}"
-echo ""
-
 export KUBECONFIG="${SHARED_DIR}/kubeconfig"
 
 # In dev mode, Vault is already initialized and unsealed with root token "root"
 ROOT_TOKEN="root"
 
-echo "Configuring Vault for KMS..."
-echo ""
-
-# Create the Vault Enterprise namespace used by the KMS plugin
-echo "Creating Vault Enterprise namespace '${VAULT_ENTERPRISE_NS}'..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault namespace create "${VAULT_ENTERPRISE_NS}"
-
-# Enable transit secret engine
-echo "Enabling transit secret engine..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault secrets enable -namespace="${VAULT_ENTERPRISE_NS}" -path=transit transit
-
-# Create encryption key
-echo "Creating transit encryption key..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f transit/keys/${VAULT_KMS_KEY_NAME}
-
-# Enable AppRole auth
-echo "Enabling AppRole authentication..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault auth enable -namespace="${VAULT_ENTERPRISE_NS}" approle
-
-# Create KMS policy
-echo "Creating KMS policy..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  sh -c "VAULT_TOKEN=${ROOT_TOKEN} vault policy write -namespace=${VAULT_ENTERPRISE_NS} kms-policy - <<POLICY
-path \"transit/encrypt/${VAULT_KMS_KEY_NAME}\" {
+# Configure a Vault instance for KMS encryption.
+# Args: $1 = namespace, $2 = KMS key name, $3 = pod name
+configure_vault() {
+  local namespace="$1"
+  local key_name="$2"
+  local pod_name="$3"
+  local service_name="${pod_name%-0}"
+
+  echo ""
+  echo "========================================="
+  echo "Vault Configuration for KMS"
+  echo "========================================="
+  echo "Namespace: ${namespace}"
+  echo "Vault Enterprise NS: ${VAULT_ENTERPRISE_NS}"
+  echo "KMS Key Name: ${key_name}"
+  echo ""
+
+  echo "Configuring Vault for KMS..."
+  echo ""
+
+  # Create the Vault Enterprise namespace used by the KMS plugin
+  echo "Creating Vault Enterprise namespace '${VAULT_ENTERPRISE_NS}'..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault namespace create "${VAULT_ENTERPRISE_NS}"
+
+  # Enable transit secret engine
+  echo "Enabling transit secret engine..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault secrets enable -namespace="${VAULT_ENTERPRISE_NS}" -path=transit transit
+
+  # Create encryption key
+  echo "Creating transit encryption key..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f "transit/keys/${key_name}"
+
+  # Enable AppRole auth
+  echo "Enabling AppRole authentication..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault auth enable -namespace="${VAULT_ENTERPRISE_NS}" approle
+
+  # Create KMS policy
+  echo "Creating KMS policy..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    sh -c "VAULT_TOKEN=${ROOT_TOKEN} vault policy write -namespace=${VAULT_ENTERPRISE_NS} kms-policy - <<POLICY
+path \"transit/encrypt/${key_name}\" {
   capabilities = [\"update\"]
 }
-path \"transit/decrypt/${VAULT_KMS_KEY_NAME}\" {
+path \"transit/decrypt/${key_name}\" {
   capabilities = [\"update\"]
 }
-path \"transit/keys/${VAULT_KMS_KEY_NAME}\" {
+path \"transit/keys/${key_name}\" {
   capabilities = [\"read\"]
 }
 path \"sys/license/status\" {
   capabilities = [\"read\"]
 }
 POLICY"
 
-# Create AppRole role
-echo "Creating AppRole role..."
-oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" auth/approle/role/kms-plugin \
-    token_policies=kms-policy \
-    token_ttl=1h \
-    token_max_ttl=4h
-
-# Get AppRole credentials
-echo "Retrieving AppRole credentials..."
-ROLE_ID=$(oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault read -namespace="${VAULT_ENTERPRISE_NS}" -field=role_id auth/approle/role/kms-plugin/role-id)
-SECRET_ID=$(oc exec vault-0 -n "${VAULT_NAMESPACE}" -- \
-  env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -field=secret_id -f auth/approle/role/kms-plugin/secret-id)
-
-# Create vault-credentials secret
-echo "Creating vault-credentials secret..."
-oc create secret generic vault-credentials \
-  --from-literal=role-id="${ROLE_ID}" \
-  --from-literal=secret-id="${SECRET_ID}" \
-  --from-literal=root-token="${ROOT_TOKEN}" \
-  -n "${VAULT_NAMESPACE}"
-
-echo "Vault credentials saved to vault-credentials secret"
-
-echo ""
-echo "========================================="
-echo "Vault Configuration Complete"
-echo "========================================="
-echo ""
-echo "Summary:"
-echo "  - Vault Service: vault.${VAULT_NAMESPACE}.svc:8200"
-echo "  - Credentials Secret: vault-credentials (namespace: ${VAULT_NAMESPACE})"
-echo "  - Vault Enterprise Namespace: ${VAULT_ENTERPRISE_NS}"
-echo "  - Transit Key: ${VAULT_KMS_KEY_NAME}"
-echo "  - ROLE_ID: ${ROLE_ID}"
-echo ""
+  # Create AppRole role
+  echo "Creating AppRole role..."
+  oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" auth/approle/role/kms-plugin \
+      token_policies=kms-policy \
+      token_ttl=1h \
+      token_max_ttl=4h
+
+  # Get AppRole credentials
+  echo "Retrieving AppRole credentials..."
+  ROLE_ID=$(oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault read -namespace="${VAULT_ENTERPRISE_NS}" -field=role_id auth/approle/role/kms-plugin/role-id)
+  SECRET_ID=$(oc exec "${pod_name}" -n "${namespace}" -- \
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -field=secret_id -f auth/approle/role/kms-plugin/secret-id)
+
+  # Create vault-credentials secret
+  echo "Creating vault-credentials secret..."
+  oc create secret generic vault-credentials \
+    --from-literal=role-id="${ROLE_ID}" \
+    --from-literal=secret-id="${SECRET_ID}" \
+    --from-literal=root-token="${ROOT_TOKEN}" \
+    -n "${namespace}"
+
+  echo "Vault credentials saved to vault-credentials secret"
+
+  echo ""
+  echo "========================================="
+  echo "Vault Configuration Complete"
+  echo "========================================="
+  echo ""
+  echo "Summary:"
+  echo "  - Vault Service: ${service_name}.${namespace}.svc:8200"
+  echo "  - Credentials Secret: vault-credentials (namespace: ${namespace})"
+  echo "  - Vault Enterprise Namespace: ${VAULT_ENTERPRISE_NS}"
+  echo "  - Transit Key: ${key_name}"
+  echo "  - ROLE_ID: ${ROLE_ID}"
+  echo ""
+}
+
+configure_vault "${VAULT_NAMESPACE}" "${VAULT_KMS_KEY_NAME}" "vault-0"
+configure_vault "${VAULT_SECONDARY_NAMESPACE}" "${VAULT_SECONDARY_KMS_KEY_NAME}" "vault-secondary-0"

ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml

@@ -22,28 +22,46 @@ ref:
       Vault Enterprise namespace where the transit engine, AppRole auth, and
       policies will be created. Must match the VaultNamespace configured in the
       KMS plugin (defaults to "admin" in library-go test helpers).
+  - name: VAULT_SECONDARY_NAMESPACE
+    default: "vault-kms-secondary"
+    documentation: |-
+      Namespace where the second Vault Enterprise instance is installed.
+  - name: VAULT_SECONDARY_KMS_KEY_NAME
+    default: "kms-key-secondary"
+    documentation: |-
+      Name of the transit encryption key for the second Vault instance.
+      Must differ from VAULT_KMS_KEY_NAME to ensure each instance uses a distinct KEK.
   documentation: |-
-    Configures an already-installed Vault instance for Kubernetes KMS encryption.
+    Configures already-installed Vault instances for Kubernetes KMS encryption.
 
     This step should run after etcd-encryption-vault-install.
 
-    Configuration steps:
+    Configuration steps (applied to both primary and secondary instances):
     - Creates Vault Enterprise namespace (${VAULT_ENTERPRISE_NS})
     - Enables transit secret engine in ${VAULT_ENTERPRISE_NS}
-    - Creates transit encryption key (name: ${VAULT_KMS_KEY_NAME}) in ${VAULT_ENTERPRISE_NS}
+    - Creates transit encryption key in ${VAULT_ENTERPRISE_NS}
     - Enables AppRole authentication in ${VAULT_ENTERPRISE_NS}
     - Creates KMS policy with encrypt/decrypt permissions in ${VAULT_ENTERPRISE_NS}
     - Creates AppRole role (kms-plugin) in ${VAULT_ENTERPRISE_NS}
     - Retrieves AppRole credentials from ${VAULT_ENTERPRISE_NS}
     - Stores credentials in vault-credentials secret
 
+    Each instance uses a distinct transit key (${VAULT_KMS_KEY_NAME} vs
+    ${VAULT_SECONDARY_KMS_KEY_NAME}) to ensure independent KEKs.
+
     Prerequisites:
     - Vault must be installed and pods Ready (run etcd-encryption-vault-install first)
-    - OpenShift cluster with vault-0 pod running in ${VAULT_NAMESPACE}
+    - OpenShift cluster with vault-0 running in ${VAULT_NAMESPACE}
+      and vault-secondary-0 running in ${VAULT_SECONDARY_NAMESPACE}
 
-    Outputs:
+    Outputs (primary):
     - Credentials stored in: vault-credentials secret (namespace: ${VAULT_NAMESPACE})
       * role-id: AppRole role ID
       * secret-id: AppRole secret ID
       * root-token: Vault root token
-      * unseal-key: Vault unseal key
+
+    Outputs (secondary):
+    - Credentials stored in: vault-credentials secret (namespace: ${VAULT_SECONDARY_NAMESPACE})
+      * role-id: AppRole role ID
+      * secret-id: AppRole secret ID
+      * root-token: Vault root token