We are creating ephemeral K8s stacks for developers using Vault in dev mode for the ease of setup. We would like to have some kind of persistance on a volume (PVC) to make sure that when the pod restarts data are still there.
Is there an easy way to start such a setup without all the fuzz of init and unsealing and managing keys ?
You can’t use dev mode for this, as it’s not flexible enough for that.
Instead, you should write a minimal Vault configuration file that does what you need it to, and handle the init and unseal via some wrapper scripts.
Init looks like this:
vault operator init -n 1 -t 1 -format=json > init.json
init.json somewhere safe as you’ll need it to unseal.
Unseal looks like this:
vault operator unseal "`jq -r '.unseal_keys_b64' init.json`"
To do some initial setup of the data stored in each dev Vault, you might want log in using the root token in
init.json and run some other commands:
export VAULT_TOKEN=$(vault login -no-store -field=token "`jq -r .root_token init.json`") vault secrets enable <something> ...
Thanks a lot maxb for your answer,
This is exactly what I have done and it is working fine.
In fact I save the init.json inside the pvc used for storing vault data (location is /vault/data) and unseal vault upon pod restarts.