Pre-provisioning of vault


I am using Vault for my application, deployed with official Helm chart and Docker image. After deployment I execute a script to provision resources (e.g. policies, kv secrets, database with roles) through kubectl command.
As this provisioning is static, I was wondering if I could build my own Docker image from official one, that embeds provisioning. It would avoid executing script once Vault is up.
Is there any way to do this ? E.g. add a file in Dockerfile containing provisioning that will automatically be taken into account at deployment.

Thanks a lot for your help !

Well Vault isn’t a database, from the sound of it you maybe better off looking at Consul for something like that.

That said, there is no technical reason why you can’t… but just keep in mind that if you do that you’d expose your unseal keys and root token to anyone who has access to the container.

If you were to export them then anyone who has access to the export or container would get them.

Lastly if you were to just delete them after unsealing then you would be in danger of not being to unseal or recover the data in case something broke – which as a docker image, it will.

If you’re going to continue with Vault then the best option is to use something like terraform, ansible or chef to bring it up to spec after the proper init process.

Hi Aram,

Thanks for your quick answer. I did not realize that root token would be necessary and then exposed when accessing container.

I will use proper tool for provisioning after setup.

Bets regards,