New to KubeVault? Please start here.
Unsealer
Unsealer automates the process of initializing and unsealing Vault running in Kubernetes cluster. Also, it provides facilities to store unseal keys and root token in a secure way.
Configuring Unsealer
To use Unsealer, configure spec.unsealer
field in VaultServer CRD .
spec:
unsealer:
secretShares: <num_of_secret_shares>
secretThresold: <num_of_secret_threshold>
retryPeriodSeconds: <retry_period>
overwriteExisting: <true/false>
mode:
...
Here, we are going to describe the various attributes of the spec.unsealer
field.
unsealer.secretShares
unsealer.secretShares
is an optional field that specifies the number of shares to split the master key into. It accepts integer value. The default vault is 5
.
spec:
unsealer:
secretShares: 5
Note:
unsealer.secretShares
must be greater than 1.
unsealer.secretThreshold
unsealer.secretThreshold
is an optional field that specifies the number of keys required to unseal vault. It accepts integer value. The default vault is 3
.
spec:
unsealer:
secretThreshold: 2
Note:
unsealer.secretThreshold
must be a positive integer and less than or equal tounsealer.secretShares
.
unsealer.retryPeriodSeconds
unsealer.retryPeriodSeconds
is an optional field that specifies how often Unsealer will attempt to unseal the vault instance. It accepts integer value. The default vault is 10
.
spec:
unsealer:
retryPeriodSeconds: 15
unsealer.overwriteExisting
unsealer.overwriteExisting
is an optional field that specifies Unsealer will overwrite existing unseal keys and root token(if have any). It accepts boolean value. Default vault is false
.
spec:
unsealer:
overwriteExisting: true
unsealer.mode
unsealer.mode
is a required field that specifies which mode to use to store unseal keys and root token.
spec:
unsealer:
mode:
...
List of supported modes: