vault-root token for configurer in transit autounseal configuration

[johnny990]

Hi,
I've tried to play with bank-vaults and transit autounseal feature as described in this blog: https://banzaicloud.com/blog/vault-transit-unseal-k8s/
I noticed that vault-unseal-keys with root token is required for configurer and it is not quite good from the security perspective.

According to the description in CR (https://github.com/banzaicloud/bank-vaults/blob/main/operator/deploy/cr-transit-unseal.yaml):

# Even if unsealing will be done via the Transit Auto-Unseal flow the root token
  # and recovery keys will be stored in Kubernetes Secrets if not defined otherwise,
  # not highly secure, but this is just an example, in production please use one of
  # the KMS based options.
  # unsealConfig:

Is it possible to have this secret optional? As I understand, in general it could be possible to have configurer work the same way as autounsealing, I mean via mutating webhook, we just need to assign admin role to the kubernetes service account?

Or maybe I'm doing something wrong and somebody could guide me how to achieve autounsealing of tenant vault without having any secrets/credentials with root token, just authenticate via kubernetes service account/role and mutating webhook?

Or the only option is to put root token to the central vault where autounseal token is?

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.