fix(vault): use proven GL vault entrypoint for auto-unseal
This commit is contained in:
Ruslan Bakiev
@@ -1,50 +1,67 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
# Start Vault server in background
|
export VAULT_ADDR="http://127.0.0.1:8200"
|
||||||
|
|
||||||
|
get_status_json() {
|
||||||
|
vault status -format=json 2>/dev/null || true
|
||||||
|
}
|
||||||
|
|
||||||
|
read_flag() {
|
||||||
|
json="$1"
|
||||||
|
key="$2"
|
||||||
|
printf '%s' "$json" | tr -d '\n' | sed -n "s/.*\"$key\":[[:space:]]*\\(true\\|false\\).*/\\1/p" | head -n1
|
||||||
|
}
|
||||||
|
|
||||||
vault server -config=/vault/config/vault.hcl &
|
vault server -config=/vault/config/vault.hcl &
|
||||||
VAULT_PID=$!
|
VAULT_PID=$!
|
||||||
|
|
||||||
export VAULT_ADDR="http://127.0.0.1:8200"
|
echo "Waiting for Vault status endpoint..."
|
||||||
|
while true; do
|
||||||
# Save env unseal key before anything overwrites it
|
STATUS_JSON="$(get_status_json)"
|
||||||
SAVED_UNSEAL_KEY="${VAULT_UNSEAL_KEY}"
|
INIT_FLAG="$(read_flag "$STATUS_JSON" initialized)"
|
||||||
|
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
||||||
echo "Waiting for Vault to start..."
|
if [ -n "$INIT_FLAG" ] && [ -n "$SEALED_FLAG" ]; then
|
||||||
until vault status -format=json 2>/dev/null | grep -q '"initialized"\|"sealed"'; do
|
break
|
||||||
|
fi
|
||||||
sleep 1
|
sleep 1
|
||||||
done
|
done
|
||||||
|
|
||||||
# Check if initialized
|
if [ "$INIT_FLAG" = "false" ]; then
|
||||||
INITIALIZED=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c 'true' || true)
|
echo "Vault is not initialized yet; auto-unseal skipped."
|
||||||
|
wait $VAULT_PID
|
||||||
if [ "$INITIALIZED" != "1" ]; then
|
exit $?
|
||||||
echo "Vault not initialized, running operator init..."
|
|
||||||
vault operator init -key-shares=1 -key-threshold=1 -format=json > /vault/data/init.json
|
|
||||||
echo "Vault initialized. Keys saved to /vault/data/init.json"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Determine unseal key: env > init.json
|
if [ "$SEALED_FLAG" = "true" ]; then
|
||||||
if [ -n "$SAVED_UNSEAL_KEY" ]; then
|
UNSEAL_KEYS_RAW="${VAULT_UNSEAL_KEYS:-${VAULT_UNSEAL_KEY:-}}"
|
||||||
UNSEAL_KEY="$SAVED_UNSEAL_KEY"
|
if [ -z "$UNSEAL_KEYS_RAW" ]; then
|
||||||
echo "Using VAULT_UNSEAL_KEY from environment."
|
echo "Vault is sealed but VAULT_UNSEAL_KEY/VAULT_UNSEAL_KEYS is empty."
|
||||||
elif [ -f /vault/data/init.json ]; then
|
kill $VAULT_PID || true
|
||||||
UNSEAL_KEY=$(grep -o '"unseal_keys_b64":\["[^"]*"' /vault/data/init.json | grep -o '\["[^"]*"' | tr -d '["')
|
exit 1
|
||||||
echo "Using unseal key from /vault/data/init.json."
|
fi
|
||||||
fi
|
|
||||||
|
|
||||||
# Auto-unseal
|
echo "Vault is sealed; applying unseal keys from environment..."
|
||||||
if [ -n "$UNSEAL_KEY" ]; then
|
for key in $(printf '%s' "$UNSEAL_KEYS_RAW" | tr ',;' ' '); do
|
||||||
SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
|
[ -n "$key" ] || continue
|
||||||
if [ "$SEALED" = "1" ]; then
|
vault operator unseal "$key" >/dev/null
|
||||||
echo "Vault is sealed, unsealing..."
|
STATUS_JSON="$(get_status_json)"
|
||||||
vault operator unseal "$UNSEAL_KEY"
|
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
||||||
echo "Vault unsealed."
|
if [ "$SEALED_FLAG" = "false" ]; then
|
||||||
else
|
echo "Vault unsealed."
|
||||||
echo "Vault is already unsealed."
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
STATUS_JSON="$(get_status_json)"
|
||||||
|
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
||||||
|
if [ "$SEALED_FLAG" != "false" ]; then
|
||||||
|
echo "Vault is still sealed after provided key(s)."
|
||||||
|
kill $VAULT_PID || true
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "No unseal key available, skipping auto-unseal."
|
echo "Vault is already unsealed."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
wait $VAULT_PID
|
wait $VAULT_PID
|
||||||
|
|||||||
Reference in New Issue
Block a user