You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeVault? Please start here.
Unsealer
Unsealer automates the process of initializing and unsealing Vault running in Kubernetes cluster. Also, it provides facilities to store unseal keys and root token in a secure way.
Configuring Unsealer
To use Unsealer, configure spec.unsealer field in VaultServer CRD .
spec:
unsealer:
secretShares: <num_of_secret_shares>
secretThresold: <num_of_secret_threshold>
retryPeriodSeconds: <retry_period>
overwriteExisting: <true/false>
mode:
...
Here, we are going to describe the various attributes of the spec.unsealer field.
unsealer.secretShares
unsealer.secretShares is an optional field that specifies the number of shares to split the master key into. It accepts integer value. The default vault is 5.
spec:
unsealer:
secretShares: 5
Note:
unsealer.secretSharesmust be greater than 1.
unsealer.secretThreshold
unsealer.secretThreshold is an optional field that specifies the number of keys required to unseal vault. It accepts integer value. The default vault is 3.
spec:
unsealer:
secretThreshold: 2
Note:
unsealer.secretThresholdmust be a positive integer and less than or equal tounsealer.secretShares.
unsealer.retryPeriodSeconds
unsealer.retryPeriodSeconds is an optional field that specifies how often Unsealer will attempt to unseal the vault instance. It accepts integer value. The default vault is 10.
spec:
unsealer:
retryPeriodSeconds: 15
unsealer.overwriteExisting
unsealer.overwriteExisting is an optional field that specifies Unsealer will overwrite existing unseal keys and root token(if have any). It accepts boolean value. Default vault is false.
spec:
unsealer:
overwriteExisting: true
unsealer.mode
unsealer.mode is a required field that specifies which mode to use to store unseal keys and root token.
spec:
unsealer:
mode:
...
List of supported modes: