Closed okamototk closed 1 week ago
Hi @okamototk Did you try to initialize it and then you got this error? Before unsealing, the cluster should be initialized. During this process, Vault will throw unseal keys and root token, and you should save those keys for the next step of unsealing the cluster. If not, I would recommend to check the official documentation of how you can initialize a Vault cluster: https://developer.hashicorp.com/vault/docs/commands/operator/init
Thank you for comment. I know I need initialize and unseal manually. But I would like to start vault without manual operation.
@okamototk I know that it is possible to automate the unsealing part, but I don't know if it is possible to automate the initialization process.
@glisav How you can automate unseal? I don't want to use dev mode because data isn't persist.
@okamototk check this out: https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-azure-keyvault
Thank you. But I don't want depend cloud key management system...
There are other methods of auto-unseal, please see the following: https://developer.hashicorp.com/vault/tutorials/auto-unseal As this is not a bug, I am going to go ahead and close this issue now. Please feel free to ask questions and receive help from fellow community members on our Discuss forums. Thanks!
Just FYI:
I created following initial/unseal script for vault and automate initialize and unseal for this matter.
#!/bin/sh
# Waiting if vault server is not started.
while true ;
do
vault status
[[ $? -eq 1 ]] || break
done
# Initialize vault
vault operator init -key-shares=3 > /home/vault/init-tmp
# If Initialize is successed, keep seal-keys.
if [ $? -eq 0 ]
then
mv /home/vault/init-tmp /vault/data/seal-keys
else
rm /home/vault/init-tmp
fi
# Unseal
for i in 1 2 3
do
vault operator unseal $(grep "Key $i" /vault/data/seal-keys |sed 's/Unseal Key '$i': //i')
done
server:
readinessProbe:
enabled: false
postStart:
- sh
- /vault/userconfig/myscript/init-unseal.sh
extraVolumes:
- type: configMap
name: myscript
path: /vault/userconfig
Then deploy vault with custom postStart script like this:
kubectl create ns vault
kubectl create configmap myscript --from-file=init-unseal.sh -nvault
helm install vaullt hashicorp/vault -nvault -f custom-values.yaml
Vault Chat is not initialized by default configuration.
Reproduce procedure:
Pod will not initialize.
Got error message repeatly. Vault was not initialize.
Resoltion
You need to add init container with initialization script when mode is not dev.