README
¶
vault-autounseal-operator
Vault operator for managing vault clusters running in Kubernetes. Operator handles:
- automated initialization of new clusters
- automated unsealing of pods in a clusters
- upgrading statefulset pods in graceful manner
- rotating vault pods if TLS certificate is updated
Operator assumes vault is deployed using official Hashicorp Vault helm chart.
Algorithm:
- build vault client
- get pod seal & init status - https://localhost:8200/v1/sys/seal-status
- if !initialized
- check if init secret is not there
- sync (create lease or lock)
- call sys/initialize
- create secret - unseal keys
- create secret - root token
- if sealed
- get secret - unseal keys
- call sys/unseal
Directories
Click to show internal directories.
Click to hide internal directories.