More options to configure unsealConfig for transit-unseal

[Ais8Ooz8]

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I agree to follow the Code of Conduct.

Problem Description

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

While there is an explicit way for the kv-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-vault-kv-unseal.yaml

  # Describe where you would like to store the Vault unseal keys and root token
  # in seperate remote Vault instance.
  unsealConfig:
    vault:
      address: https://vault:8200 # Remote Address for Vault
      unsealKeysPath: secret/data/vault-keys
      role: default
      authPath: kubernetes

We see not very transparent recommendations on how to stop using Kubernetes Secrets — https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/cr-transit-unseal.yaml

  # Even if unsealing will be done via the Transit Auto-Unseal flow the root token
  # and recovery keys will be stored in Kubernetes Secrets if not defined otherwise,
  # not highly secure, but this is just an example, in production please use one of
  # the KMS based options.
  # unsealConfig:
  # ...

Proposed Solution

We need a way to explicitly set the settings for the transit-unseal case — https://github.com/bank-vaults/vault-operator/blob/main/pkg/apis/vault/v1alpha1/vault_types.go

Alternatives Considered

No response

Additional Information

No response

[DrummyFloyd]

will it be in the roadmap ?
or you're still looking at some information with Hashicorp new's licence ?

[akijakya]

Hi @Ais8Ooz8, thanks for considering Bank-Vaults, also sorry for the late reply!

You can specify a different place to store the root token and recovery keys for any Vault custom resource, in the vault-kv-unseal example it is another Vault instance, the default is a Kubernetes secret, but you can (should) use another Vault, Azure, AWS, etc:

vault-operator/deploy/crd/bases/vault.banzaicloud.com_vaults.yaml

Line 1068 in b27d76f

unsealConfig:

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[github-actions]

This issue has been marked stale for 20 days, and is now closed due to inactivity. If the issue is still relevant, please re-open this issue or file a new one. Thank you!