68 lines
1.7 KiB
Bash
68 lines
1.7 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
export VAULT_ADDR="http://127.0.0.1:8200"
|
|
|
|
get_status_json() {
|
|
vault status -format=json 2>/dev/null || true
|
|
}
|
|
|
|
read_flag() {
|
|
json="$1"
|
|
key="$2"
|
|
printf '%s' "$json" | tr -d '\n' | sed -n "s/.*\"$key\":[[:space:]]*\\(true\\|false\\).*/\\1/p" | head -n1
|
|
}
|
|
|
|
vault server -config=/vault/config/vault.hcl &
|
|
VAULT_PID=$!
|
|
|
|
echo "Waiting for Vault status endpoint..."
|
|
while true; do
|
|
STATUS_JSON="$(get_status_json)"
|
|
INIT_FLAG="$(read_flag "$STATUS_JSON" initialized)"
|
|
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
|
if [ -n "$INIT_FLAG" ] && [ -n "$SEALED_FLAG" ]; then
|
|
break
|
|
fi
|
|
sleep 1
|
|
done
|
|
|
|
if [ "$INIT_FLAG" = "false" ]; then
|
|
echo "Vault is not initialized yet; auto-unseal skipped."
|
|
wait $VAULT_PID
|
|
exit $?
|
|
fi
|
|
|
|
if [ "$SEALED_FLAG" = "true" ]; then
|
|
UNSEAL_KEYS_RAW="${VAULT_UNSEAL_KEYS:-${VAULT_UNSEAL_KEY:-}}"
|
|
if [ -z "$UNSEAL_KEYS_RAW" ]; then
|
|
echo "Vault is sealed but VAULT_UNSEAL_KEY/VAULT_UNSEAL_KEYS is empty."
|
|
kill $VAULT_PID || true
|
|
exit 1
|
|
fi
|
|
|
|
echo "Vault is sealed; applying unseal keys from environment..."
|
|
for key in $(printf '%s' "$UNSEAL_KEYS_RAW" | tr ',;' ' '); do
|
|
[ -n "$key" ] || continue
|
|
vault operator unseal "$key" >/dev/null
|
|
STATUS_JSON="$(get_status_json)"
|
|
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
|
if [ "$SEALED_FLAG" = "false" ]; then
|
|
echo "Vault unsealed."
|
|
break
|
|
fi
|
|
done
|
|
|
|
STATUS_JSON="$(get_status_json)"
|
|
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
|
|
if [ "$SEALED_FLAG" != "false" ]; then
|
|
echo "Vault is still sealed after provided key(s)."
|
|
kill $VAULT_PID || true
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "Vault is already unsealed."
|
|
fi
|
|
|
|
wait $VAULT_PID
|