flibusta-apps/vault-unseal-docker
1
0
Fork 0
mirror of https://github.com/flibusta-apps/vault-unseal-docker.git synced 2025-12-06 06:35:38 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

update readme with example k8s

Browse Source
This commit is contained in:
Brett Jones
2017-01-16 14:10:35 -06:00
parent 87f91bdd4c
commit 617cc8ef88
1 changed files with 144 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
README.md
View File

@@ -19,3 +19,147 @@ This container will loop up to 15 times, as many times as it can until vault is
3. Optionally set `VAULT_SKIP_VERIFY` to 1.
4. Check the [vault docs](https://www.vaultproject.io/docs/commands/environment.html) on environment variables to see all of your options.
5. Run the container and watch it unseal your vault.
## Example Kubernetes Config
```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: vault-secret-config-s3
namespace: default
type: Opaque
data:
access_key: <base64 encoded s3 access key>
secret_key: <base64 encoded s3 secret key>
unseal_key_1: <base64 encoded unseal key 1>
unseal_key_2: <base64 encoded unseal key 2>
unseal_key_3: <base64 encoded unseal key 3>
unseal_key_4: <base64 encoded unseal key 4>
unseal_key_5: <base64 encoded unseal key 5>
root_token: <base64 encoded root token>
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-config-file
data:
config.hcl: |-
backend "s3" {}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: vault
spec:
replicas: 1
template:
metadata:
labels:
app: vault
spec:
volumes:
- name: configmap
configMap:
name: vault-config-file
containers:
- name: vault
image: vault:0.6.4
args: ["server"]
securityContext:
capabilities:
add:
- IPC_LOCK
ports:
- containerPort: 8200
imagePullPolicy: Always
volumeMounts:
- mountPath: /vault/config
name: configmap
env:
- name: VAULT_ADDR
value: http://127.0.0.1:8200
- name: VAULT_SKIP_VERIFY
value: "1"
- name: AWS_S3_BUCKET
value: <my bucket name>
- name: AWS_DEFAULT_REGION
value: <my region>
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: vault-secret-config-s3
key: access_key
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: vault-secret-config-s3
key: secret_key
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-secret-config-s3
key: root_token
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: vault
name: vault
spec:
ports:
- port: 8200
protocol: TCP
targetPort: 8200
selector:
app: vault
sessionAffinity: None
type: ClusterIP
---
apiVersion: batch/v1
kind: Job
metadata:
name: vault-unseal
spec:
template:
metadata:
name: vault-unseal
spec:
restartPolicy: OnFailure
containers:
- name: vault-unseal
image: blockloop/vault-unseal
env:
- name: VAULT_ADDR
value: http://vault:8200
- name: VAULT_SKIP_VERIFY
value: "1"
- name: VAULT_UNSEAL_KEY_1
valueFrom:
secretKeyRef:
name: vault-secret-config-s3
key: unseal_key_1
- name: VAULT_UNSEAL_KEY_2
valueFrom:
secretKeyRef:
name: vault-secret-config-s3
key: unseal_key_2
- name: VAULT_UNSEAL_KEY_3
valueFrom:
secretKeyRef:
name: vault-secret-config-s3
key: unseal_key_3
```