Automate the Vault init and unseal process

[aaronsgithub]

Please describe the problem to be solved

Once Vault is installed, the vault servers are started in a "sealed" state. The data stored in Vault is encrypted.

The Vault servers therefore need to be manually initialised and unsealed in order to read the decryption key and access the data stored in the storage backend. See:

• https://www.github.com/hashicorp/vault-helm/issues/17
• https://developer.hashicorp.com/vault/docs/concepts/seal#why
• https://www.kloia.com/blog/comparison-of-unseal-options-in-hashicorp-vaul

The init process reveals the master keys and initial root token which can then be used to unseal Vault.

Can you propose a solution

A client side script could be made to automate this process but this would not allow for unattended install.

Another option might be to have an InitContainer automate this process.

PGP could be used to encrypt the keys and export them from Kubernetes.

Additional context

Many discussions have taken place on the Vault issues tracker and pull requests submitted:

• https://www.github.com/hashicorp/vault-helm/issues/251
• https://www.github.com/hashicorp/vault-helm/pull/252
• https://www.github.com/hashicorp/vault-helm/pull/315
• https://www.github.com/hashicorp/vault-helm/issues/720
• https://github.com/jasonodonnell/vault-agent-demo/blob/master/configs/bootstrap.sh