dsrptlab/clientsflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
39cf198e11f0af55820f8e6c14907310f7533baa
clientsflow/vault/entrypoint.sh
Ruslan Bakiev 39cf198e11 fix(vault): auto-init when not initialized, then unseal
2026-03-10 21:03:25 +07:00

74 lines
2.0 KiB
Bash
Raw Blame History

#!/bin/sh
set -e
export VAULT_ADDR="http://127.0.0.1:8200"
get_status_json() {
vault status -format=json 2>/dev/null || true
}
read_flag() {
json="$1"
key="$2"
printf '%s' "$json" | tr -d '\n' | sed -n "s/.*\"$key\":[[:space:]]*\\(true\\|false\\).*/\\1/p" | head -n1
}
vault server -config=/vault/config/vault.hcl &
VAULT_PID=$!
echo "Waiting for Vault status endpoint..."
while true; do
STATUS_JSON="$(get_status_json)"
INIT_FLAG="$(read_flag "$STATUS_JSON" initialized)"
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
if [ -n "$INIT_FLAG" ] && [ -n "$SEALED_FLAG" ]; then
break
fi
sleep 1
done
if [ "$INIT_FLAG" = "false" ]; then
echo "Vault is not initialized, running operator init..."
INIT_JSON=$(vault operator init -key-shares=1 -key-threshold=1 -format=json)
echo "$INIT_JSON" > /vault/data/init.json
UNSEAL_KEYS_RAW=$(printf '%s' "$INIT_JSON" | tr -d '\n' | sed -n 's/.*"unseal_keys_b64":\["\([^"]*\)".*/\1/p')
echo "Vault initialized. Auto-unsealing with new key..."
vault operator unseal "$UNSEAL_KEYS_RAW" >/dev/null
echo "Vault initialized and unsealed."
wait $VAULT_PID
exit $?
fi
if [ "$SEALED_FLAG" = "true" ]; then
UNSEAL_KEYS_RAW="${VAULT_UNSEAL_KEYS:-${VAULT_UNSEAL_KEY:-}}"
if [ -z "$UNSEAL_KEYS_RAW" ]; then
echo "Vault is sealed but VAULT_UNSEAL_KEY/VAULT_UNSEAL_KEYS is empty."
kill $VAULT_PID || true
exit 1
fi
echo "Vault is sealed; applying unseal keys from environment..."
for key in $(printf '%s' "$UNSEAL_KEYS_RAW" | tr ',;' ' '); do
[ -n "$key" ] || continue
vault operator unseal "$key" >/dev/null
STATUS_JSON="$(get_status_json)"
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
if [ "$SEALED_FLAG" = "false" ]; then
echo "Vault unsealed."
break
fi
done
STATUS_JSON="$(get_status_json)"
SEALED_FLAG="$(read_flag "$STATUS_JSON" sealed)"
if [ "$SEALED_FLAG" != "false" ]; then
echo "Vault is still sealed after provided key(s)."
kill $VAULT_PID || true
exit 1
fi
else
echo "Vault is already unsealed."
fi
wait $VAULT_PID
Reference in New Issue View Git Blame Copy Permalink