A kubernetes controller that can auto unseal vault pods.
Use the label vault-unsealer.bakito.net/stateful-set to unseal a kubernetes vault statefulset in the same namespace
Example:
labels:
vault-unsealer.bakito.net/stateful-set: vaultUse the label vault-unsealer.bakito.net/external flag a secret for usage to handle external vaults. The value specifies the seal check interval duration
Use the annotation vault-unsealer.bakito.net/external-source to define a vault where the unseal keys are stored
Use the annotation vault-unsealer.bakito.net/external-targets to define the vaults to be unsealed. The value is semicolon separated
labels:
vault-unsealer.bakito.net/external: '5m'
annotations:
vault-unsealer.bakito.net/external-source: https://vault.bakito.org:8200
vault-unsealer.bakito.net/external-targets: https://vault-1.bakito.org:8200;https://vault-2.bakito.org:8200Secrets must use one of the labels or annotations described above.
Unseal keys can directly be stored in a secret.
The keys must have the prefix unsealKey.
apiVersion: v1
kind: Secret
metadata:
labels:
vault-unsealer.bakito.net/stateful-set: vault
name: vault-unsealer-config
type: Opaque
data:
unsealKey1: <...>
unsealKey2: <...>
unsealKey3: <...>
unsealKey4: <...>
unsealKey5: <...>If the unseal keys are stored in vault itself, userpass
access can be configured.
| Key | Description |
|---|---|
| username | The username for vault userpass access. |
| password | The password for vault userpass access. |
| mountPath | The vault mount path. Optional. |
| secretPath | The secret path within vault . Do NOT add the /data path element as it is required by the vault cli or API. |
apiVersion: v1
kind: Secret
metadata:
labels:
vault-unsealer.bakito.net/stateful-set: vault
name: vault-unsealer-config-userpass
type: Opaque
data:
username: <...>
password: <...>
mountPath: <...>
secretPath: <...># Get Token
vault login -method=userpass username=<username>
# Read the secret (for kv version 2 '/data' must be added to the secret path,
# but only for the cli, not the unsealer secret)
vault read kv/data/unsealerAnother option to access unseal keys stored in vault is to
use kubernetes auth, where the service account of the
unsealer must be granted access to vault.
| Key | Description |
|---|---|
| role | The role the kubernetes service account is assigned to. |
| mountPath | The vault mount path. Optional. |
| secretPath | The secret path within vault . Do NOT add the /data path element as it is required by the vault cli or API. |
apiVersion: v1
kind: Secret
metadata:
labels:
vault-unsealer.bakito.net/stateful-set: vault
name: vault-unsealer-config-kubernetes
type: Opaque
data:
role: <...>
mountPath: <...>
secretPath: <...># Get Token
vault write auth/kubernetes/login role=<role> jwt=<k8s-token>
# Login wit received vault token
vault login
# Read the secret (for kv version 2 '/data' must be added to the secret path,
# but only for the cli, not the unsealer secret)
vault read kv/data/unsealer# allow access to read the secret
path "path/to/your/unseal/secret" {
capabilities = ["read"]
}
# allow access to read the mounts (used to check the kv version of the secret engine)
path "sys/mounts" {
capabilities = ["read"]
}