update readme with example k8s

2025-12-06 06:35:38 +01:00 · 2017-01-16 14:10:35 -06:00
parent 87f91bdd4c
commit 617cc8ef88
1 changed files with 144 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -19,3 +19,147 @@ This container will loop up to 15 times, as many times as it can until vault is
 3. Optionally set `VAULT_SKIP_VERIFY` to 1. 
 4. Check the [vault docs](https://www.vaultproject.io/docs/commands/environment.html) on environment variables to see all of your options. 
 5. Run the container and watch it unseal your vault.
 ## Example Kubernetes Config
 ```yaml
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: vault-secret-config-s3
  namespace: default
 type: Opaque
 data:
  access_key: <base64 encoded s3 access key>
  secret_key: <base64 encoded s3 secret key>
  unseal_key_1: <base64 encoded unseal key 1>
  unseal_key_2: <base64 encoded unseal key 2>
  unseal_key_3: <base64 encoded unseal key 3>
  unseal_key_4: <base64 encoded unseal key 4>
  unseal_key_5: <base64 encoded unseal key 5>
  root_token: <base64 encoded root token>
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: vault-config-file
 data:
  config.hcl: |-
    backend "s3" {}
    listener "tcp" {
      address = "0.0.0.0:8200"
      tls_disable = 1
    }
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: vault
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: vault
    spec:
      volumes:
      - name: configmap
        configMap:
          name: vault-config-file
      containers:
      - name: vault
        image: vault:0.6.4
        args: ["server"]
        securityContext:
          capabilities:
            add:
              - IPC_LOCK
        ports:
        - containerPort: 8200
        imagePullPolicy: Always
        volumeMounts:
        - mountPath: /vault/config
          name: configmap
        env:
          - name: VAULT_ADDR
            value: http://127.0.0.1:8200
          - name: VAULT_SKIP_VERIFY
            value: "1"
          - name: AWS_S3_BUCKET
            value: <my bucket name>
          - name: AWS_DEFAULT_REGION
            value: <my region>
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: vault-secret-config-s3
                key: access_key
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: vault-secret-config-s3
                key: secret_key
          - name: VAULT_TOKEN
            valueFrom:
              secretKeyRef:
                name: vault-secret-config-s3
                key: root_token
 ---
 apiVersion: v1
 kind: Service
 metadata:
  creationTimestamp: null
  labels:
    app: vault
  name: vault
 spec:
  ports:
  - port: 8200
    protocol: TCP
    targetPort: 8200
  selector:
    app: vault
  sessionAffinity: None
  type: ClusterIP
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: vault-unseal
 spec:
  template:
    metadata:
      name: vault-unseal
    spec:
      restartPolicy: OnFailure
      containers:
      - name: vault-unseal
        image: blockloop/vault-unseal
        env:
          - name: VAULT_ADDR
            value: http://vault:8200
          - name: VAULT_SKIP_VERIFY
            value: "1"
          - name: VAULT_UNSEAL_KEY_1
            valueFrom:
              secretKeyRef:
                name: vault-secret-config-s3
                key: unseal_key_1
          - name: VAULT_UNSEAL_KEY_2
            valueFrom:
              secretKeyRef:
                name: vault-secret-config-s3
                key: unseal_key_2
          - name: VAULT_UNSEAL_KEY_3
            valueFrom:
              secretKeyRef:
                name: vault-secret-config-s3
                key: unseal_key_3
 ```