-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault-root token for configurer in transit autounseal configuration #1768
Comments
Thank you for your contribution! This issue has been automatically marked as |
Thank you for your contribution! This issue has been automatically marked as |
Hi,
I've tried to play with bank-vaults and transit autounseal feature as described in this blog: https://banzaicloud.com/blog/vault-transit-unseal-k8s/
I noticed that
vault-unseal-keys
with root token is required forconfigurer
and it is not quite good from the security perspective.According to the description in CR (https://github.com/banzaicloud/bank-vaults/blob/main/operator/deploy/cr-transit-unseal.yaml):
Is it possible to have this secret optional? As I understand, in general it could be possible to have
configurer
work the same way as autounsealing, I mean via mutating webhook, we just need to assign admin role to the kubernetes service account?Or maybe I'm doing something wrong and somebody could guide me how to achieve autounsealing of tenant vault without having any secrets/credentials with root token, just authenticate via kubernetes service account/role and mutating webhook?
Or the only option is to put root token to the central vault where autounseal token is?
The text was updated successfully, but these errors were encountered: