New to KubeVault? Please start here.
Unsealer automates the process of initializing and unsealing Vault running in Kubernetes cluster. Also it provides facilities to store unseal keys and root token in a secure way.
To use Unsealer specify spec.unsealer in VaultServer CRD .
spec:
unsealer:
secretShares: <num_of_secret_shares>
secretThresold: <num_of_secret_threshold>
retryPeriodSeconds: <retry_period>
overwriteExisting: <true/false>
mode:
...
unsealer.secretShares is an optional field that specifies the number of shares to split the master key into. It accepts integer value. Default vault is 5.
spec:
unsealer:
secretShares: 4
Note:
unsealer.secretSharesmust be greater than 1.
unsealer.secretThreshold is an optional field that specifies the number of keys required to unseal vault. It accepts integer value. Default vault is 3.
spec:
unsealer:
secretThreshold: 2
Note:
unsealer.secretThresholdmust be a positive interger and less than or equal tounsealer.secretShares.
unsealer.retryPeriodSeconds is an optional field that specifies how often Unsealer will attempt to unseal the vault instance. It accepts integer value. Default vault is 10.
spec:
unsealer:
retryPeriodSeconds: 15
unsealer.overwriteExisting is an optional field that specifies Unsealer will overwrite existing unseal keys and root token(if have any). It accepts boolean value. Default vault is false.
spec:
unsealer:
overwriteExisting: true
unsealer.mode is a required field that specifies which mode to use to store unseal keys and root token.
spec:
unsealer:
mode:
...
List of supported mode: