scripts/vault-bootstrap.sh is the one-time setup
script, idempotent (every step checks before it creates, so re-running
after a partial failure is safe).
What it does, in order
vault operator init(recovery keys)- Enables a file audit device
- Enables KV v2 mounts:
seo-ai-os(component config) andsecret(VaultClient’s tenant-credential mount point) - Enables Kubernetes auth (for the Vault Agent Injector, on the Kubernetes deployment path)
- Enables AppRole auth (runtime identity for the
api/workerprocesses, on any deployment path, including a single VPS) - Writes every policy from
helm/vault/policies/
Prerequisites
vaultCLI, withVAULT_ADDRexported- After
init:VAULT_TOKENexported (the initial root token — revoke it once bootstrap and credential migration are done)
Remaining manual steps
The script prints these at the end — deliberately manual, since they touch real credentials:- Generate a secret-id per runtime AppRole
- Write each component’s config secret (
APP_SECRET_KEY,DATABASE_URL,REDIS_URL, etc.) viavault kv put - Migrate existing credentials:
python scripts/vault_migrate_credentials.py --help - Revoke the initial root token