How to perform initial vault init automatically

Hi There!!!

I was evaluating the auto unseal feature released in vault recently with various cloud provider KMS, I was doing with AWS KSM and I was able to auto unseal the vault, post restart/stop&start vault processes.

I have used k8s platform to host vault server workload. Now since auto unseal is working as expected, i was looking to auto initialize the vault during initial startup, as i was doing it manually during initial setup. I googled about it and landed on below shared by Kelsey and Seth Vergo.


I have couple of questions about the whole process

  1. how we can auto initialize the vault server, process workflow
  2. How to retrieve the master key and recovery keys, in case of auto init

Thx,
Sandeep

Hello -

With Seth’s example there, you run the vault-init service as a “sidecar”. It takes the KMS key and GCP bucket as values and then polls a health endpoint of the container running Vault. If it finds the vault service is uninitialized, the sidecar process initializes Vault and encrypts the root token and keys with the KMS key and stores the keys in the configured GCP bucket. To access those values, I believe you just need to be able to download them from the bucket and decrypt them with the key.

The sidecar process will continue to poll the health endpoint, and if autounseal is not enabled, it can optionally unseal for you.

Seth has also shared an example yaml file:

He’s also written a verbose guide here that may be worth your time:

Please let me know if this doesn’t answer your question(s)

  • Clint

If you use Chef, the company I work for open-sourced their Vault Chef resources which can do a lot of the Vault configuration for you. There is a reference implementation in that repo that stands up a local instance and configures roles/init/backends for you.