vault-auto-unsealer is an application to assist in running Vault in a Kubernetes cluster. It runs a control loop that will unseal Vault if necessary, so that human intervention is not needed to unseal Vault if/when Vault's pod is restarted by Kubernetes. Of course, this means that the value of Vault's unseal process is foregone, but this may be an acceptable compromise when running in an environment where the unseal key is protected via some other means, and the ability to keep Vault running without human intervention when it restarts is critical.
Required environment variables:
VAULT_ADDR: The address of the Vault server to operate on. Example: http://127.0.0.1:8200PGP_KEY_PATH: Path to a file containing the OpenPGP public key that should be used to encrypt the unseal key and initial root token. This file should be the Base64 encoding of the binary version of the public key, NOT the ASCII armored format. Make sure you don't accidentally append a newline at the end of the file!UNSEAL_KEY: The raw decrypted unseal key. When first deployed, set this to a placeholder value like "placeholder" and vault-auto-unsealer will initialize Vault. Any value that is not exactly 64 bytes is acceptable as a placeholder value.
When first deployed, set the environment variable UNSEAL_KEY to "placeholder" (or any other value that is not exactly 64 bytes.)
vault-auto-unsealer will initialize Vault, configured for a single unseal key.
It will then print the unseal key and initial root token, encrypted with the supplied OpenPGP public key, to standard output.
Decrypt the unseal key:
echo -n "$UNSEAL_KEY" | base64 -D | gpg2 --decryptThe initial root token is decrypted in the same manner.
Then redeploy vault-auto-unsealer with the environment variable UNSEAL_KEY set to the decrypted unseal key.
From this point on, vault-auto-unsealer will run in a loop, unsealing the Vault whenever it finds it sealed.
vault-auto-unsealer is released under the MIT license.
See LICENSE for details.