wiki:k8s/HashiCorpVault

Vaultメモ

VaultのHelmで普通にインストールすると、手動で初期化とUnseal(キーの入力)が必要となる。 下記のスクリプトを利用すれば、Vault起動時に初期化とunsealを行い、手動でのConfigをスキップすることができる。

vaules.yaml

server:
  readinessProbe:
    enabled: false
  postStart:
    - sh
    - /vault/userconfig/myscript/init-unseal.sh
  extraVolumes:
    - type: configMap
      name: myscript
      path: /vault/userconfig

init-unseal.sh

#!/bin/sh

# Waiting if vault server is not started.
while true ;
do
        vault status 
        [[ $? -eq 1 ]] || break
done

# Initialize vault
vault operator init -key-shares=3 > /home/vault/init-tmp


# If Initialize is successed, keep seal-keys.
if [ $? -eq 0 ]
then
        mv /home/vault/init-tmp /vault/data/seal-keys
else
        rm /home/vault/init-tmp
fi

# Unseal
for i in 1 2 3
do
        vault operator unseal $(grep "Key $i" /vault/data/seal-keys |sed 's/Unseal Key '$i': //i') 
done
kubectl create ns vault
kubectl create configmap myscript  --from-file=init-unseal.sh  -nvault
helm install vaullt hashicorp/vault -nvault -f values.yaml