Configure a Vault for auto-unseal¶
WARNING: There is currently no way to remove the auto-unseal configuration once it has been set on Vault Charms. Removing the integration may put Vault Charms in a bad state which requires manual intervention.
Prerequisites¶
A Vault Charm instance you wish to use as the unsealer. Deployed, initialized, unsealed, and authorized. See Tutorial: Getting started with Vault-K8s or Getting Started: Vault (Machine) if you’re not there yet.
A second Vault Charm instance you wish to use as the autounsealed Vault. This instance may already be initialized, unsealed, and authorized, or you may initialize it as part of this process.
1. Integrate the Vault instances¶
Integrate the autounsealed Vault instance with the unsealer Vault instance.
juju integrate vault-unsealer:vault-autounseal-provides vault-autounsealed:vault-autounseal-requires
2. Configure the Vault CLI to interact with the autounsealed Vault.¶
export VAULT_ADDR="..."
export VAULT_TOKEN="..."
Now, either follow 2a for an initialized autounsealed Vault instance, or 2b for an uninitialized autounsealed Vault instance.
2a. Migrate the autounsealed Vault instance to auto-unseal¶
In this step, the Vault instance being migrated needs to be unsealed with the existing manual unseal keys, and migrate its data to auto-unseal. To do this, unseal the Vault instance with the -migrate flag.
vault operator unseal -migrate ${token}