Hello,
We are creating ephemeral K8s stacks for developers using Vault in dev mode for the ease of setup. We would like to have some kind of persistance on a volume (PVC) to make sure that when the pod restarts data are still there.
Is there an easy way to start such a setup without all the fuzz of init and unsealing and managing keys ?
You can’t use dev mode for this, as it’s not flexible enough for that.
Instead, you should write a minimal Vault configuration file that does what you need it to, and handle the init and unseal via some wrapper scripts.
Init looks like this:
vault operator init -n 1 -t 1 -format=json > init.json
saving the init.json somewhere safe as you’ll need it to unseal.
Unseal looks like this:
vault operator unseal "`jq -r '.unseal_keys_b64[0]' init.json`"
To do some initial setup of the data stored in each dev Vault, you might want log in using the root token in init.json and run some other commands:
export VAULT_TOKEN=$(vault login -no-store -field=token "`jq -r .root_token init.json`")
vault secrets enable <something>
...
Thanks a lot maxb for your answer,
This is exactly what I have done and it is working fine.
In fact I save the init.json inside the pvc used for storing vault data (location is /vault/data) and unseal vault upon pod restarts.