Not able to auto unseal vault on k8 #32
Replies: 4 comments 5 replies
-
Let me know, If i am missing anything from my end. |
Beta Was this translation helpful? Give feedback.
-
Hello, I have added imagePullPolicy: Always but now, i am getting the below error. I am running the job as non-root user and I thing it this is what causing the error. time="07-04-2023 03:14:20" level=fatal msg="mkdir /.vault-unseal: permission denied" Thanks, |
Beta Was this translation helpful? Give feedback.
-
Hello, Our k8 policy does not allow to run pods as root user. Is there any alternative way to do it? Thanks |
Beta Was this translation helpful? Give feedback.
-
Hello, Can you provide update on this? Will there be any change in the source code to adjust it to run as nonRoot ? or I don't have any other way. Thanks |
Beta Was this translation helpful? Give feedback.
-
I have deployed vault using helm chart on k8. Whenever the vault pod is restarted it get sealed and I would like to overcome this.
So, when i am using your vault-unseal locally (locally means, I have port forwarded the vault pod to :8200) and tried to run the below command. IT successfully unseals the vault.
vault-unseal unseal --address http://localhost:8200/ --shard="xxxxx" --shard="xxxxx" --shard="xxxxx"
But when I am trying to run the same on k8 using the cronjob specified in the examples/kubernetes/cronjob.yaml.
I am getting the below error-
Error: failed to create containerd task: OCI runtime create failed: runc create failed: unable to start container process: exec: "vault-unseal": executable file not found in $PATH: unknown
Below is the yaml file
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: vault-unseal-cronjob
namespace: vault-autounseal
spec:
schedule: "* * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: vault-unseal-cronjob
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
restartPolicy: OnFailure
containers:
- name: vault-unseal-cronjob
image: "ghcr.io/omegion/vault-unseal:latest"
imagePullPolicy: IfNotPresent
args:
- unseal
- --address="http://vault-auto-unseal.vault-autounseal.svc.cluster.local:8200"
- --shard="xxxxx"
- --shard="xxxxx"
- --shard="xxxxx"
Beta Was this translation helpful? Give feedback.
All reactions