| 1 | = Vaultメモ |
| 2 | VaultのHelmで普通にインストールすると、手動で初期化とUnseal(キーの入力)が必要となる。 |
| 3 | 下記のスクリプトを利用すれば、Vault起動時に初期化とunsealを行い、手動でのConfigをスキップすることができる。 |
| 4 | |
| 5 | |
| 6 | == vaules.yaml |
| 7 | |
| 8 | {{{ |
| 9 | server: |
| 10 | readinessProbe: |
| 11 | enabled: false |
| 12 | postStart: |
| 13 | - sh |
| 14 | - /vault/userconfig/myscript/init-unseal.sh |
| 15 | extraVolumes: |
| 16 | - type: configMap |
| 17 | name: myscript |
| 18 | path: /vault/userconfig |
| 19 | }}} |
| 20 | |
| 21 | == init-unseal.sh |
| 22 | |
| 23 | {{{ |
| 24 | #!/bin/sh |
| 25 | |
| 26 | sleep 5 |
| 27 | vault operator init -key-shares=3 > /home/vault/init-tmp |
| 28 | if [ $? -eq 0 ] |
| 29 | then |
| 30 | mv /home/vault/init-tmp /vault/data/seal-keys |
| 31 | else |
| 32 | rm /home/vault/init-tmp |
| 33 | fi |
| 34 | for i in 1 2 3 |
| 35 | do |
| 36 | vault operator unseal $(grep "Key $i" /vault/data/seal-keys |sed 's/Unseal Key '$i': //i') |
| 37 | done |
| 38 | kubectl create configmap myscript --from-file=init-unseal.sh -nvault |
| 39 | }}} |
| 40 | |
| 41 | {{{ |
| 42 | kubectl create ns vault |
| 43 | kubectl create configmap myscript --from-file=init-unseal.sh -nvault |
| 44 | helm install vault hashicorp/vault -nvault -f values.yaml |
| 45 | }}} |