More options to configure unsealConfig for transit-unseal

[Ais8Ooz8]

Preflight Checklist

• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [X] I agree to follow the Code of Conduct.

Problem Description

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

While there is an explicit way for the kv-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-vault-kv-unseal.yaml

  # Describe where you would like to store the Vault unseal keys and root token
  # in seperate remote Vault instance.
  unsealConfig:
    vault:
      address: https://vault:8200 # Remote Address for Vault
      unsealKeysPath: secret/data/vault-keys
      role: default
      authPath: kubernetes

We see not very transparent recommendations on how to stop using Kubernetes Secrets — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-transit-unseal.yaml

  # Even if unsealing will be done via the Transit Auto-Unseal flow the root token
  # and recovery keys will be stored in Kubernetes Secrets if not defined otherwise,
  # not highly secure, but this is just an example, in production please use one of
  # the KMS based options.
  # unsealConfig:
  # ...

Proposed Solution

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

Alternatives Considered

No response

Additional Information

No response