# Optional lab auto-unseal: applies after Vault is initialized and Secret `vault-unseal-key` exists. # # 1) vault operator init -key-shares=1 -key-threshold=1 (lab only — single key) # 2) kubectl -n vault create secret generic vault-unseal-key --from-literal=key='YOUR_UNSEAL_KEY' # 3) kubectl apply -f clusters/noble/apps/vault/unseal-cronjob.yaml # # OSS Vault has no Kubernetes/KMS seal; this CronJob runs vault operator unseal when the server is sealed. # Protect the Secret with RBAC; prefer cloud KMS auto-unseal for real environments. --- apiVersion: batch/v1 kind: CronJob metadata: name: vault-auto-unseal namespace: vault spec: concurrencyPolicy: Forbid successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 3 schedule: "*/1 * * * *" jobTemplate: spec: template: spec: restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 100 runAsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: unseal image: hashicorp/vault:1.21.2 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL env: - name: VAULT_ADDR value: http://vault.vault.svc:8200 command: - /bin/sh - -ec - | test -f /secrets/key || exit 0 status="$(vault status -format=json 2>/dev/null || true)" echo "$status" | grep -q '"initialized":true' || exit 0 echo "$status" | grep -q '"sealed":false' && exit 0 vault operator unseal "$(cat /secrets/key)" volumeMounts: - name: unseal mountPath: /secrets readOnly: true volumes: - name: unseal secret: secretName: vault-unseal-key optional: true items: - key: key path: key