feat(vault): auto-unseal on container start via VAULT_UNSEAL_KEY env

2026-03-10 20:10:35 +07:00
parent 29309419bf
commit 25623b8f65
2 changed files with 33 additions and 1 deletions
--- a/vault/entrypoint.sh
+++ b/vault/entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -e
+
+# Start Vault server in background
+vault server -config=/vault/config/vault.hcl &
+VAULT_PID=$!
+
+# Wait for Vault to be ready
+export VAULT_ADDR="http://127.0.0.1:8200"
+echo "Waiting for Vault to start..."
+until vault status -format=json 2>/dev/null | grep -q '"initialized"'; do
+  sleep 1
+done
+
+# Auto-unseal if VAULT_UNSEAL_KEY is set
+if [ -n "$VAULT_UNSEAL_KEY" ]; then
+  SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
+  if [ "$SEALED" = "1" ]; then
+    echo "Vault is sealed, auto-unsealing..."
+    vault operator unseal "$VAULT_UNSEAL_KEY"
+    echo "Vault unsealed."
+  else
+    echo "Vault is already unsealed."
+  fi
+else
+  echo "VAULT_UNSEAL_KEY not set, skipping auto-unseal."
+fi
+
+# Wait for Vault process
+wait $VAULT_PID