fix(vault): use proven GL vault entrypoint for auto-unseal
This commit is contained in:
Ruslan Bakiev
@@ -1,50 +1,67 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
# Start Vault server in background
|
||||
export VAULT_ADDR="http://127.0.0.1:8200"
|
||||
|
||||
get_status_json() {
|
||||
vault status -format=json 2>/dev/null || true
|
||||
}
|
||||
|
||||
read_flag() {
|
||||
json="$1"
|
||||
key="$2"
|
||||
printf '%s' "$json" | tr -d '\n' | sed -n "s/.*\"$key\":[[:space:]]*\\(true\\|false\\).*/\\1/p" | head -n1
|
||||
}
|
||||
|
||||
vault server -config=/vault/config/vault.hcl &
|
||||
VAULT_PID=$!
|
||||
|
||||
export VAULT_ADDR="http://127.0.0.1:8200"
|
||||
|
||||
# Save env unseal key before anything overwrites it
|
||||
SAVED_UNSEAL_KEY="${VAULT_UNSEAL_KEY}"
|
||||
|
||||
echo "Waiting for Vault to start..."
|
||||
until vault status -format=json 2>/dev/null | grep -q '"initialized"\|"sealed"'; do
|
||||
echo "Waiting for Vault status endpoint..."
|
||||
while true; do
|
||||
STATUS_JSON="$(get_status_json)"
|
||||
INIT_FLAG="$(read_flag "$STATUS_JSON" initialized)"
|
||||
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
||||
if [ -n "$INIT_FLAG" ] && [ -n "$SEALED_FLAG" ]; then
|
||||
break
|
||||
fi
|
||||
sleep 1
|
||||
done
|
||||
|
||||
# Check if initialized
|
||||
INITIALIZED=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c 'true' || true)
|
||||
|
||||
if [ "$INITIALIZED" != "1" ]; then
|
||||
echo "Vault not initialized, running operator init..."
|
||||
vault operator init -key-shares=1 -key-threshold=1 -format=json > /vault/data/init.json
|
||||
echo "Vault initialized. Keys saved to /vault/data/init.json"
|
||||
if [ "$INIT_FLAG" = "false" ]; then
|
||||
echo "Vault is not initialized yet; auto-unseal skipped."
|
||||
wait $VAULT_PID
|
||||
exit $?
|
||||
fi
|
||||
|
||||
# Determine unseal key: env > init.json
|
||||
if [ -n "$SAVED_UNSEAL_KEY" ]; then
|
||||
UNSEAL_KEY="$SAVED_UNSEAL_KEY"
|
||||
echo "Using VAULT_UNSEAL_KEY from environment."
|
||||
elif [ -f /vault/data/init.json ]; then
|
||||
UNSEAL_KEY=$(grep -o '"unseal_keys_b64":\["[^"]*"' /vault/data/init.json | grep -o '\["[^"]*"' | tr -d '["')
|
||||
echo "Using unseal key from /vault/data/init.json."
|
||||
fi
|
||||
if [ "$SEALED_FLAG" = "true" ]; then
|
||||
UNSEAL_KEYS_RAW="${VAULT_UNSEAL_KEYS:-${VAULT_UNSEAL_KEY:-}}"
|
||||
if [ -z "$UNSEAL_KEYS_RAW" ]; then
|
||||
echo "Vault is sealed but VAULT_UNSEAL_KEY/VAULT_UNSEAL_KEYS is empty."
|
||||
kill $VAULT_PID || true
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Auto-unseal
|
||||
if [ -n "$UNSEAL_KEY" ]; then
|
||||
SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
|
||||
if [ "$SEALED" = "1" ]; then
|
||||
echo "Vault is sealed, unsealing..."
|
||||
vault operator unseal "$UNSEAL_KEY"
|
||||
echo "Vault unsealed."
|
||||
else
|
||||
echo "Vault is already unsealed."
|
||||
echo "Vault is sealed; applying unseal keys from environment..."
|
||||
for key in $(printf '%s' "$UNSEAL_KEYS_RAW" | tr ',;' ' '); do
|
||||
[ -n "$key" ] || continue
|
||||
vault operator unseal "$key" >/dev/null
|
||||
STATUS_JSON="$(get_status_json)"
|
||||
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
||||
if [ "$SEALED_FLAG" = "false" ]; then
|
||||
echo "Vault unsealed."
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
STATUS_JSON="$(get_status_json)"
|
||||
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
||||
if [ "$SEALED_FLAG" != "false" ]; then
|
||||
echo "Vault is still sealed after provided key(s)."
|
||||
kill $VAULT_PID || true
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "No unseal key available, skipping auto-unseal."
|
||||
echo "Vault is already unsealed."
|
||||
fi
|
||||
|
||||
wait $VAULT_PID
|
||||
|
||||
Reference in New Issue
Block a user