From 25623b8f65017c0e37c2da57dfd4a800932f3714 Mon Sep 17 00:00:00 2001
From: Ruslan Bakiev <572431+veikab@users.noreply.github.com>
Date: Tue, 10 Mar 2026 20:10:35 +0700
Subject: [PATCH] feat(vault): auto-unseal on container start via
 VAULT_UNSEAL_KEY env

---
 vault/Dockerfile    |  4 +++-
 vault/entrypoint.sh | 30 ++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 vault/entrypoint.sh

diff --git a/vault/Dockerfile b/vault/Dockerfile
index c928e89..a27a3bd 100644
--- a/vault/Dockerfile
+++ b/vault/Dockerfile
@@ -1,7 +1,9 @@
 FROM hashicorp/vault:1.21.3
 
 COPY config /vault/config
+COPY entrypoint.sh /vault/entrypoint.sh
+RUN chmod +x /vault/entrypoint.sh
 
 EXPOSE 8200 8201
 
-CMD ["vault", "server", "-config=/vault/config/vault.hcl"]
+ENTRYPOINT ["/vault/entrypoint.sh"]
diff --git a/vault/entrypoint.sh b/vault/entrypoint.sh
new file mode 100644
index 0000000..7d26712
--- /dev/null
+++ b/vault/entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+# Start Vault server in background
+vault server -config=/vault/config/vault.hcl &
+VAULT_PID=$!
+
+# Wait for Vault to be ready
+export VAULT_ADDR="http://127.0.0.1:8200"
+echo "Waiting for Vault to start..."
+until vault status -format=json 2>/dev/null | grep -q '"initialized"'; do
+  sleep 1
+done
+
+# Auto-unseal if VAULT_UNSEAL_KEY is set
+if [ -n "$VAULT_UNSEAL_KEY" ]; then
+  SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
+  if [ "$SEALED" = "1" ]; then
+    echo "Vault is sealed, auto-unsealing..."
+    vault operator unseal "$VAULT_UNSEAL_KEY"
+    echo "Vault unsealed."
+  else
+    echo "Vault is already unsealed."
+  fi
+else
+  echo "VAULT_UNSEAL_KEY not set, skipping auto-unseal."
+fi
+
+# Wait for Vault process
+wait $VAULT_PID