Run the start command to launch the daemon process that automatically initializes and unseals a Vault server:
$ vault-init start \
--vault-addr "http://127.0.0.1:8200" \
--encryption-local-secret-key "FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo" \
--storage-postgres-connection-url "postgres://vault:[email protected]:5432/vault?sslmode=disable"Run the show command to fetch and decrypt the root token and unseal keys generated by Vault during the initialization process:
$ vault-init show \
--encryption-local-secret-key "FjaUCqqTIorGTe1Z86rs2YfkRgQ6iIgo" \
--storage-postgres-connection-url "postgres://vault:[email protected]:5432/vault?sslmode=disable"See docker-compose.yaml for an example on using the vault-init Docker image to initialize and unseal a Vault container running within the same Docker environment.
vault-init is a natural sidecar container for a Vault deployment on Kubernetes. An example of running it as a sidecar container can be found under docs/kubernetes. Note that this is just for illustration purposes and is not a production-ready setup.
You will require a Kubernetes cluster to run the example:
-
Deploy a PostgreSQL instance into your cluster:
$ kubectl apply -f kubernetes/example-postgres.yaml
-
Exec into the
example-postgresPod and create the database table required byvault-init:$ kubectl exec -it example-postgres-0 -- psql -U example $ psql > CREATE TABLE vault_init_data ( encryption_type TEXT, encryption_version TEXT, root_token TEXT, unseal_keys TEXT[], created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP );
-
Deploy Vault with a
vault-initsidecar container into your cluster:$ kubectl apply -f kubernetes/example.yaml
-
Tail the logs of the
vault-initcontainer and watch it initialize and unseal Vault!$ kubectl logs -f example-0 vault-init
-
To clean up:
$ kubectl delete -f kubernetes