New to KubeVault? Please start here.

Unsealer

Unsealer automates the process of initializing and unsealing Vault running in Kubernetes cluster. Also, it provides facilities to store unseal keys and root token in a secure way.

Configuring Unsealer

To use Unsealer, configure spec.unsealer field in VaultServer CRD .

spec:
  unsealer:
    secretShares: <num_of_secret_shares>
    secretThresold: <num_of_secret_threshold>
    retryPeriodSeconds: <retry_period>
    overwriteExisting: <true/false>
    mode:
      ...

Here, we are going to describe the various attributes of the spec.unsealer field.

unsealer.secretShares

unsealer.secretShares is an optional field that specifies the number of shares to split the master key into. It accepts integer value. The default vault is 5.

spec:
  unsealer:
    secretShares: 5

Note: unsealer.secretShares must be greater than 1.

unsealer.secretThreshold

unsealer.secretThreshold is an optional field that specifies the number of keys required to unseal vault. It accepts integer value. The default vault is 3.

spec:
  unsealer:
    secretThreshold: 2

Note: unsealer.secretThreshold must be a positive integer and less than or equal to unsealer.secretShares.

unsealer.retryPeriodSeconds

unsealer.retryPeriodSeconds is an optional field that specifies how often Unsealer will attempt to unseal the vault instance. It accepts integer value. The default vault is 10.

spec:
  unsealer:
    retryPeriodSeconds: 15

unsealer.overwriteExisting

unsealer.overwriteExisting is an optional field that specifies Unsealer will overwrite existing unseal keys and root token(if have any). It accepts boolean value. Default vault is false.

spec:
  unsealer:
    overwriteExisting: true

unsealer.mode

unsealer.mode is a required field that specifies which mode to use to store unseal keys and root token.

spec:
  unsealer:
    mode:
    ...

List of supported modes: