I was evaluating the auto unseal feature released in vault recently with various cloud provider KMS, I was doing with AWS KSM and I was able to auto unseal the vault, post restart/stop&start vault processes.
I have used k8s platform to host vault server workload. Now since auto unseal is working as expected, i was looking to auto initialize the vault during initial startup, as i was doing it manually during initial setup. I googled about it and landed on below shared by Kelsey and Seth Vergo.
I have couple of questions about the whole process
how we can auto initialize the vault server, process workflow
How to retrieve the master key and recovery keys, in case of auto init
With Seth’s example there, you run the vault-init service as a “sidecar”. It takes the KMS key and GCP bucket as values and then polls a health endpoint of the container running Vault. If it finds the vault service is uninitialized, the sidecar process initializes Vault and encrypts the root token and keys with the KMS key and stores the keys in the configured GCP bucket. To access those values, I believe you just need to be able to download them from the bucket and decrypt them with the key.
The sidecar process will continue to poll the health endpoint, and if autounseal is not enabled, it can optionally unseal for you.
If you use Chef, the company I work for open-sourced their Vault Chef resources which can do a lot of the Vault configuration for you. There is a reference implementation in that repo that stands up a local instance and configures roles/init/backends for you.