How does the workflow look like currently while initialising Vault on K8s completely using automation ? Vault needs to be
inited and then
unsealed and then configured with auth backends and secrets engines. In my mind, I had something like this:
- Deploy resources to support Vault - initialise postgres to use with postgres storage backend or such
- Deploy HA vault on k8s
- Have an offline workflow to init and unseal Vault -> how does one do this efficiently?
I was thinking of deploying Vault and then writing another tool which
unseals it after a Vault deployment, and to run this automatically after every Vault deployment.
How will a root-token (or a sufficiently privileged) root-token be transferred to this tool?
Is there any standard that needs to be followed here?