64 lines
2.2 KiB
YAML
64 lines
2.2 KiB
YAML
# Optional lab auto-unseal: applies after Vault is initialized and Secret `vault-unseal-key` exists.
|
|
#
|
|
# 1) vault operator init -key-shares=1 -key-threshold=1 (lab only — single key)
|
|
# 2) kubectl -n vault create secret generic vault-unseal-key --from-literal=key='YOUR_UNSEAL_KEY'
|
|
# 3) kubectl apply -f clusters/noble/apps/vault/unseal-cronjob.yaml
|
|
#
|
|
# OSS Vault has no Kubernetes/KMS seal; this CronJob runs vault operator unseal when the server is sealed.
|
|
# Protect the Secret with RBAC; prefer cloud KMS auto-unseal for real environments.
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: vault-auto-unseal
|
|
namespace: vault
|
|
spec:
|
|
concurrencyPolicy: Forbid
|
|
successfulJobsHistoryLimit: 1
|
|
failedJobsHistoryLimit: 3
|
|
schedule: "*/1 * * * *"
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 100
|
|
runAsGroup: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
containers:
|
|
- name: unseal
|
|
image: hashicorp/vault:1.21.2
|
|
imagePullPolicy: IfNotPresent
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
env:
|
|
- name: VAULT_ADDR
|
|
value: http://vault.vault.svc:8200
|
|
command:
|
|
- /bin/sh
|
|
- -ec
|
|
- |
|
|
test -f /secrets/key || exit 0
|
|
status="$(vault status -format=json 2>/dev/null || true)"
|
|
echo "$status" | grep -q '"initialized":true' || exit 0
|
|
echo "$status" | grep -q '"sealed":false' && exit 0
|
|
vault operator unseal "$(cat /secrets/key)"
|
|
volumeMounts:
|
|
- name: unseal
|
|
mountPath: /secrets
|
|
readOnly: true
|
|
volumes:
|
|
- name: unseal
|
|
secret:
|
|
secretName: vault-unseal-key
|
|
optional: true
|
|
items:
|
|
- key: key
|
|
path: key
|