diff --git a/cmd/vault.go b/cmd/vault.go
index 167cd8c..81c8ad0 100644
--- a/cmd/vault.go
+++ b/cmd/vault.go
@@ -143,6 +143,11 @@ Any values provided using --values will be in {{ .Values.xxx }}
 })
 
 const argVaultApplyDumpValues = "dump-values"
+const argVaultForceGenerateRootToken = "generate-root"
+
+func vaultInitFlags(cmd *cobra.Command) {
+	cmd.Flags().Bool(argVaultForceGenerateRootToken, false, "Generate a root token named 'root'.")
+}
 
 var vaultInitCmd = &cobra.Command{
 	Use:          "init [namespace]",
@@ -214,7 +219,7 @@ Otherwise, this will do nothing.
 			VaultNamespace: namespace,
 		}
 
-		err = initializer.Init()
+		err = initializer.Init(viper.GetBool(argVaultForceGenerateRootToken))
 		if err != nil {
 			return err
 		}
@@ -489,7 +494,7 @@ func init() {
 	vaultCmd.AddCommand(vaultJWTCmd)
 
 	addVaultFlags(vaultInitCmd)
-	vaultCmd.AddCommand(vaultInitCmd)
+	vaultCmd.AddCommand(vaultInitCmd, initFlags)
 
 	addVaultFlags(vaultUnsealCmd)
 	vaultCmd.AddCommand(vaultUnsealCmd)
diff --git a/pkg/vault/vault_init.go b/pkg/vault/vault_init.go
index 3e71eaf..a5c4f8c 100644
--- a/pkg/vault/vault_init.go
+++ b/pkg/vault/vault_init.go
@@ -22,7 +22,7 @@ type VaultInitializer struct {
 	VaultNamespace string
 }
 
-func (v VaultInitializer) Init() error {
+func (v VaultInitializer) Init(forceGenerateTokenRoot bool) error {
 	vaultClient := v.Client
 	initialized, err := vaultClient.Sys().InitStatus()
 	if err != nil {
@@ -30,7 +30,7 @@ func (v VaultInitializer) Init() error {
 	}
 
 	if !initialized {
-		err = v.initialize()
+		err = v.initialize(forceGenerateTokenRoot)
 		if err != nil {
 			return err
 		}
@@ -134,7 +134,7 @@ func (v VaultInitializer) Unseal() error {
 	return nil
 }
 
-func (v VaultInitializer) initialize() error {
+func (v VaultInitializer) initialize(forceGenerateTokenRoot bool) error {
 	vaultClient := v.Client
 
 	var initResp *api.InitResponse
@@ -196,7 +196,7 @@ func (v VaultInitializer) initialize() error {
 
 		vaultRootTokenSecret, err := secretsClient.Get("vault-root-token", metav1.GetOptions{})
 		if kerrors.IsNotFound(err) {
-			unsealKeysSecret, err = secretsClient.Create(&v1.Secret{
+			vaultRootTokenSecret, err = secretsClient.Create(&v1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "vault-root-token",
 				},
@@ -238,7 +238,7 @@ func (v VaultInitializer) initialize() error {
 
 	createRootToken := cli.RequestConfirmFromUser("Should we create a root token named `root`")
 
-	if createRootToken {
+	if createRootToken || forceGenerateTokenRoot {
 		log.Info("Creating token `root` (DELETE THIS TOKEN IN PRODUCTION!)")
 
 		_, err = vaultClient.Auth().Token().Create(&api.TokenCreateRequest{