| | 1 | = Vaultメモ |
| | 2 | VaultのHelmで普通にインストールすると、手動で初期化とUnseal(キーの入力)が必要となる。 |
| | 3 | 下記のスクリプトを利用すれば、Vault起動時に初期化とunsealを行い、手動でのConfigをスキップすることができる。 |
| | 4 | |
| | 5 | |
| | 6 | == vaules.yaml |
| | 7 | |
| | 8 | {{{ |
| | 9 | server: |
| | 10 | readinessProbe: |
| | 11 | enabled: false |
| | 12 | postStart: |
| | 13 | - sh |
| | 14 | - /vault/userconfig/myscript/init-unseal.sh |
| | 15 | extraVolumes: |
| | 16 | - type: configMap |
| | 17 | name: myscript |
| | 18 | path: /vault/userconfig |
| | 19 | }}} |
| | 20 | |
| | 21 | == init-unseal.sh |
| | 22 | |
| | 23 | {{{ |
| | 24 | #!/bin/sh |
| | 25 | |
| | 26 | sleep 5 |
| | 27 | vault operator init -key-shares=3 > /home/vault/init-tmp |
| | 28 | if [ $? -eq 0 ] |
| | 29 | then |
| | 30 | mv /home/vault/init-tmp /vault/data/seal-keys |
| | 31 | else |
| | 32 | rm /home/vault/init-tmp |
| | 33 | fi |
| | 34 | for i in 1 2 3 |
| | 35 | do |
| | 36 | vault operator unseal $(grep "Key $i" /vault/data/seal-keys |sed 's/Unseal Key '$i': //i') |
| | 37 | done |
| | 38 | kubectl create configmap myscript --from-file=init-unseal.sh -nvault |
| | 39 | }}} |
| | 40 | |
| | 41 | {{{ |
| | 42 | kubectl create ns vault |
| | 43 | kubectl create configmap myscript --from-file=init-unseal.sh -nvault |
| | 44 | helm install vault hashicorp/vault -nvault -f values.yaml |
| | 45 | }}} |
