Not able to auto unseal vault on k8

[vijaymhaske]

I have deployed vault using helm chart on k8. Whenever the vault pod is restarted it get sealed and I would like to overcome this.

So, when i am using your vault-unseal locally (locally means, I have port forwarded the vault pod to :8200) and tried to run the below command. IT successfully unseals the vault.

vault-unseal unseal --address http://localhost:8200/ --shard="xxxxx" --shard="xxxxx" --shard="xxxxx"

But when I am trying to run the same on k8 using the cronjob specified in the examples/kubernetes/cronjob.yaml.

I am getting the below error-

Error: failed to create containerd task: OCI runtime create failed: runc create failed: unable to start container process: exec: "vault-unseal": executable file not found in $PATH: unknown

Below is the yaml file

---

apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: vault-unseal-cronjob
namespace: vault-autounseal
spec:
schedule: "* * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: vault-unseal-cronjob
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
restartPolicy: OnFailure
containers:
- name: vault-unseal-cronjob
image: "ghcr.io/omegion/vault-unseal:latest"
imagePullPolicy: IfNotPresent
args:
- unseal
- --address="http://vault-auto-unseal.vault-autounseal.svc.cluster.local:8200"
- --shard="xxxxx"
- --shard="xxxxx"
- --shard="xxxxx"

[vijaymhaske]

Let me know, If i am missing anything from my end.

[omegion]

Hi,

Can you please use imagePullPolicy: Always and try again?

Bests,
Hakan

[vijaymhaske]

Hello,

I have added imagePullPolicy: Always but now, i am getting the below error.

I am running the job as non-root user and I thing it this is what causing the error.

time="07-04-2023 03:14:20" level=fatal msg="mkdir /.vault-unseal: permission denied"

Thanks,
Vijay

[omegion]

Hi,

This CLI supports config files located at ~./vault-unseal. It checks if the config file exists in the location, if not it creates one.

Since you are running your cronjob as a nonRoot user, the CLI binary cannot create the required config file.

You can solve this by simply removing securityContext from your CronJob manifest to allow the pod to run the container as root.

Bests,
Hakan

[vijaymhaske]

Hello,

Our k8 policy does not allow to run pods as root user. Is there any alternative way to do it?

Thanks
Vijay

[vijaymhaske]

Hello,

Can you provide update on this? Will there be any change in the source code to adjust it to run as nonRoot ? or I don't have any other way.

Thanks

[omegion]

I would create a volume for the config. Can you please try it?

[vijaymhaske]

I don't see any new changes committed in the repo..

[vijaymhaske]

Hi @omegion - I am able to make it workout to run as nonRoot user. And now, it is working fine. I will raise a PR and you review my changes