#!/bin/sh set -e export VAULT_ADDR="http://127.0.0.1:8200" get_status_json() { vault status -format=json 2>/dev/null || true } read_flag() { json="$1" key="$2" printf '%s' "$json" | tr -d '\n' | sed -n "s/.*\"$key\":[[:space:]]*\\(true\\|false\\).*/\\1/p" | head -n1 } vault server -config=/vault/config/vault.hcl & VAULT_PID=$! echo "Waiting for Vault status endpoint..." while true; do STATUS_JSON="$(get_status_json)" INIT_FLAG="$(read_flag "$STATUS_JSON" initialized)" SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)" if [ -n "$INIT_FLAG" ] && [ -n "$SEALED_FLAG" ]; then break fi sleep 1 done if [ "$INIT_FLAG" = "false" ]; then echo "Vault is not initialized, running operator init..." INIT_JSON=$(vault operator init -key-shares=1 -key-threshold=1 -format=json) echo "$INIT_JSON" > /vault/data/init.json UNSEAL_KEYS_RAW=$(printf '%s' "$INIT_JSON" | tr -d '\n' | sed -n 's/.*"unseal_keys_b64":\["\([^"]*\)".*/\1/p') echo "Vault initialized. Auto-unsealing with new key..." vault operator unseal "$UNSEAL_KEYS_RAW" >/dev/null echo "Vault initialized and unsealed." wait $VAULT_PID exit $? fi if [ "$SEALED_FLAG" = "true" ]; then UNSEAL_KEYS_RAW="${VAULT_UNSEAL_KEYS:-${VAULT_UNSEAL_KEY:-}}" if [ -z "$UNSEAL_KEYS_RAW" ]; then echo "Vault is sealed but VAULT_UNSEAL_KEY/VAULT_UNSEAL_KEYS is empty." kill $VAULT_PID || true exit 1 fi echo "Vault is sealed; applying unseal keys from environment..." for key in $(printf '%s' "$UNSEAL_KEYS_RAW" | tr ',;' ' '); do [ -n "$key" ] || continue vault operator unseal "$key" >/dev/null STATUS_JSON="$(get_status_json)" SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)" if [ "$SEALED_FLAG" = "false" ]; then echo "Vault unsealed." break fi done STATUS_JSON="$(get_status_json)" SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)" if [ "$SEALED_FLAG" != "false" ]; then echo "Vault is still sealed after provided key(s)." kill $VAULT_PID || true exit 1 fi else echo "Vault is already unsealed." fi wait $VAULT_PID