Got unseal error

[okamototk]

Vault Chat is not initialized by default configuration.

Reproduce procedure:

$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm install vault hashicorp/vault -nvault 
NAME: vault
LAST DEPLOYED: Sat Jun 22 15:38:44 2024
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!
$ helm status   vault  -nvault
NAME: vault
LAST DEPLOYED: Sat Jun 22 15:38:44 2024
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!

Pod will not initialize.

$ kubectl get pods --namespace vault 
NAME                                   READY   STATUS    RESTARTS   AGE
vault-0                                0/1     Running   0          3m12s
vault-agent-injector-ff58f5d77-8m2vd   1/1     Running   0          3m12s

$ kubectl logs vault-0 -nvault
...
2024-06-22T15:42:30.569Z [INFO]  core: security barrier not initialized
2024-06-22T15:42:30.569Z [INFO]  core: seal configuration missing, not initialized
2024-06-22T15:42:35.565Z [INFO]  core: security barrier not initialized
2024-06-22T15:42:35.565Z [INFO]  core: seal configuration missing, not initialized
2024-06-22T15:42:40.568Z [INFO]  core: security barrier not initialized
2024-06-22T15:42:40.568Z [INFO]  core: seal configuration missing, not initialized
2024-06-22T15:42:45.563Z [INFO]  core: security barrier not initialized
2024-06-22T15:42:45.563Z [INFO]  core: seal configuration missing, not initialized

Got error message repeatly. Vault was not initialize.

Resoltion

You need to add init container with initialization script when mode is not dev.

[glisav]

Hi @okamototk
Did you try to initialize it and then you got this error?
Before unsealing, the cluster should be initialized. During this process, Vault will throw unseal keys and root token, and you should save those keys for the next step of unsealing the cluster.
If not, I would recommend to check the official documentation of how you can initialize a Vault cluster: https://developer.hashicorp.com/vault/docs/commands/operator/init

[okamototk]

Thank you for comment. I know I need initialize and unseal manually.
But I would like to start vault without manual operation.

[glisav]

@okamototk
I know that it is possible to automate the unsealing part, but I don't know if it is possible to automate the initialization process.

[okamototk]

@glisav How you can automate unseal?
I don't want to use dev mode because data isn't persist.

[glisav]

@okamototk check this out: https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-azure-keyvault

[okamototk]

Thank you. But I don't want depend cloud key management system...

[heatherezell]

There are other methods of auto-unseal, please see the following: https://developer.hashicorp.com/vault/tutorials/auto-unseal
As this is not a bug, I am going to go ahead and close this issue now. Please feel free to ask questions and receive help from fellow community members on our Discuss forums. Thanks!

[okamototk]

Just FYI:

I created following initial/unseal script for vault and automate initialize and unseal for this matter.

init-unseal.sh

#!/bin/sh

# Waiting if vault server is not started.
while true ;
do
        vault status 
        [[ $? -eq 1 ]] || break
done

# Initialize vault
vault operator init -key-shares=3 > /home/vault/init-tmp


# If Initialize is successed, keep seal-keys.
if [ $? -eq 0 ]
then
        mv /home/vault/init-tmp /vault/data/seal-keys
else
        rm /home/vault/init-tmp
fi

# Unseal
for i in 1 2 3
do
        vault operator unseal $(grep "Key $i" /vault/data/seal-keys |sed 's/Unseal Key '$i': //i') 
done

custom-vaules.yaml

server:
  readinessProbe:
    enabled: false
  postStart:
    - sh
    - /vault/userconfig/myscript/init-unseal.sh
  extraVolumes:
    - type: configMap
      name: myscript
      path: /vault/userconfig

Then deploy vault with custom postStart script like this:

kubectl create ns vault
kubectl create configmap myscript  --from-file=init-unseal.sh  -nvault
helm install vaullt hashicorp/vault -nvault -f custom-values.yaml