vault-operator
vault-operator copied to clipboard
More options to configure unsealConfig for transit-unseal
Preflight Checklist
- [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [X] I agree to follow the Code of Conduct.
Problem Description
We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go
While there is an explicit way for the kv-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-vault-kv-unseal.yaml
# Describe where you would like to store the Vault unseal keys and root token
# in seperate remote Vault instance.
unsealConfig:
vault:
address: https://vault:8200 # Remote Address for Vault
unsealKeysPath: secret/data/vault-keys
role: default
authPath: kubernetes
We see not very transparent recommendations on how to stop using Kubernetes Secrets — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-transit-unseal.yaml
# Even if unsealing will be done via the Transit Auto-Unseal flow the root token
# and recovery keys will be stored in Kubernetes Secrets if not defined otherwise,
# not highly secure, but this is just an example, in production please use one of
# the KMS based options.
# unsealConfig:
# ...
Proposed Solution
We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go
Alternatives Considered
No response
Additional Information
No response