Vault initialisation in Kubernetes

How does the workflow look like currently while initialising Vault on K8s completely using automation ? Vault needs to be inited and then unsealed and then configured with auth backends and secrets engines. In my mind, I had something like this:

  1. Deploy resources to support Vault - initialise postgres to use with postgres storage backend or such
  2. Deploy HA vault on k8s
  3. Have an offline workflow to init and unseal Vault -> how does one do this efficiently?

I was thinking of deploying Vault and then writing another tool which inits and unseals it after a Vault deployment, and to run this automatically after every Vault deployment.

How will a root-token (or a sufficiently privileged) root-token be transferred to this tool?
Is there any standard that needs to be followed here?


This what I did at a customer: We created a “vault-initializer” helm chart, with a dependency on the official Vault chart.

The “vault-initalizer” chart contained a kubernetes job with a sync-hook annotation (or something similar, we were using ArgoCD), and that job did the initial configuration and stored the root token in an AWS secret.

We used AWS auto-unseal, in order to avoid having to unseal manually. Nevertheless, this approach could be used to store the unseal key in an AWS secret as well (if you don’t want auto-unseal).