How does the workflow look like currently while initialising Vault on K8s completely using automation ? Vault needs to be inited and then unsealed and then configured with auth backends and secrets engines. In my mind, I had something like this:
- Deploy resources to support Vault - initialise postgres to use with postgres storage backend or such
- Deploy HA vault on k8s
- Have an offline workflow to init and unseal Vault -> how does one do this efficiently?
I was thinking of deploying Vault and then writing another tool which inits and unseals it after a Vault deployment, and to run this automatically after every Vault deployment.
How will a root-token (or a sufficiently privileged) root-token be transferred to this tool?
Is there any standard that needs to be followed here?
Hi,
This what I did at a customer: We created a “vault-initializer” helm chart, with a dependency on the official Vault chart.
The “vault-initalizer” chart contained a kubernetes job with a sync-hook annotation (or something similar, we were using ArgoCD), and that job did the initial configuration and stored the root token in an AWS secret.
We used AWS auto-unseal, in order to avoid having to unseal manually. Nevertheless, this approach could be used to store the unseal key in an AWS secret as well (if you don’t want auto-unseal).
1 Like
Hello Jeroen,
Is that helm chart private or public ?
Thanks
Hello @krish7919
Today I spent all my day by looking for the answer of your question. Documentation is not clear and nobody answers clearly on Forum.
Which order should be followed to install, initialize and unseal Vault?
Thanks & Regards
Wow, I had asked that in Sep 2020!
We have moved past that a long time ago. I basically wrote a script from scratch which would init a new Vault instance and store the unseal keys/root token safely. If the instance has been inited before, it connects to the storage to fetch the Vault unseal keys (you can use something like AWS Secrets Manager or such). This is run as a pre-start script from the Vault Helm chart.
I cannot share the script as we have migrated away from Vault to AWS IAM mostly, but it should be quite straightforward to write one.
It will be a private chart, I think.