Share vault manual unseal keys replicas


I’m deploying vault into kubernetes with the offical-vault-helm-chart. For our production environment we want to use manual unseal (as opposed to auto unseal with Google KMS keys in dev).

The problem that I’m facing is that the I have to exec into each of the vault replicas manually unseal each of them, and if a pod dies I have to manually unseal it as well when it comes back to life. So I’m wondering if there is a way “share” the unseal between the replicas rather than repeating the same steps for each replica.

My configuration:

api_addr = “https://POD_ID”
cluster_address = “https://$(VAULT_SERVICE_HOST):8201”
ui = true
listener “tcp” {
tls_disable = 1
address = “[::]:8200”
storage “gcs” {
bucket = “some-bucket”
ha_enabled = “true”