You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I've tried to play with bank-vaults and transit autounseal feature as described in this blog: https://banzaicloud.com/blog/vault-transit-unseal-k8s/
I noticed that vault-unseal-keys with root token is required for configurer and it is not quite good from the security perspective.
# Even if unsealing will be done via the Transit Auto-Unseal flow the root token
# and recovery keys will be stored in Kubernetes Secrets if not defined otherwise,
# not highly secure, but this is just an example, in production please use one of
# the KMS based options.
# unsealConfig:
Is it possible to have this secret optional? As I understand, in general it could be possible to have configurer work the same way as autounsealing, I mean via mutating webhook, we just need to assign admin role to the kubernetes service account?
Or maybe I'm doing something wrong and somebody could guide me how to achieve autounsealing of tenant vault without having any secrets/credentials with root token, just authenticate via kubernetes service account/role and mutating webhook?
Or the only option is to put root token to the central vault where autounseal token is?
The text was updated successfully, but these errors were encountered:
Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.
Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.
Hi,
I've tried to play with bank-vaults and transit autounseal feature as described in this blog: https://banzaicloud.com/blog/vault-transit-unseal-k8s/
I noticed that
vault-unseal-keys
with root token is required forconfigurer
and it is not quite good from the security perspective.According to the description in CR (https://github.com/banzaicloud/bank-vaults/blob/main/operator/deploy/cr-transit-unseal.yaml):
Is it possible to have this secret optional? As I understand, in general it could be possible to have
configurer
work the same way as autounsealing, I mean via mutating webhook, we just need to assign admin role to the kubernetes service account?Or maybe I'm doing something wrong and somebody could guide me how to achieve autounsealing of tenant vault without having any secrets/credentials with root token, just authenticate via kubernetes service account/role and mutating webhook?
Or the only option is to put root token to the central vault where autounseal token is?
The text was updated successfully, but these errors were encountered: