mirror of
https://github.com/flibusta-apps/vault-unseal-docker.git
synced 2025-12-06 06:35:38 +01:00
init
This commit is contained in:
Brett Jones
6
Dockerfile
Normal file
6
Dockerfile
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
FROM vault:0.6.4
|
||||||
|
MAINTAINER blockloop
|
||||||
|
|
||||||
|
ADD ./vault-unseal.sh /vault-unseal.sh
|
||||||
|
|
||||||
|
CMD ["/vault-unseal.sh"]
|
||||||
21
README.md
Normal file
21
README.md
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
# Vault Unsealer for Docker
|
||||||
|
|
||||||
|
Unseal a [vault](https://www.vaultproject.io) with a docker container given only environment variables.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
This project was initially created to run as a kubernetes job to unseal a vault within the same cluster. This gives you the ability to pass env variables to a docker container and have it unseal a vault with the given keys. This image is based on the official vault image so many of the variables are the same.
|
||||||
|
|
||||||
|
`VAULT_ADDR` - the location of the vault server. You must specify the protocol (i.e. VAULT_ADDR=http://vault:8200)
|
||||||
|
|
||||||
|
`VAULT_UNSEAL_KEY_X` - this is the format of the unseal keys. In Kubernetes these are stored in a secret store and mounted to the Vault Unsealer Job as environment variables.
|
||||||
|
|
||||||
|
This container will loop up to 20 times, as many times as it can until vault is either unsealed or it returns an error. Each time it loops it checks the vault status and then, if the vault is still sealed, it runs `unseal` with the next key, or if it is unsealed, it exists 0.
|
||||||
|
|
||||||
|
## Instructions
|
||||||
|
|
||||||
|
1. Set vault key environment variables as `VAULT_UNSEAL_KEY_1`, `VAULT_UNSEAL_KEY_2`, etc.
|
||||||
|
2. Set vault key address as `VAULT_ADDR`
|
||||||
|
3. Optionally set `VAULT_SKIP_VERIFY` to 1.
|
||||||
|
4. Check the [vault docs](https://www.vaultproject.io/docs/commands/environment.html) on environment variables to see all of your options.
|
||||||
|
5. Run the container and watch it unseal your vault.
|
||||||
34
vault-unseal.sh
Executable file
34
vault-unseal.sh
Executable file
@@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
for i in {1..20}; do
|
||||||
|
# https://github.com/hashicorp/vault/blob/c44f1c9817955d4c7cd5822a19fb492e1c2d0c54/command/status.go#L107
|
||||||
|
# code reflects the seal status (0 unsealed, 2 sealed, 1 error).
|
||||||
|
vault status;
|
||||||
|
st=$?
|
||||||
|
|
||||||
|
if [ $st -eq 0 ]; then
|
||||||
|
echo "vault is unsealed"
|
||||||
|
exit 0
|
||||||
|
elif [ $st -eq 2 ]; then
|
||||||
|
echo "vault is sealed"
|
||||||
|
echo "unsealing with key $i"
|
||||||
|
v="VAULT_UNSEAL_KEY_$i"
|
||||||
|
v="${!v}"
|
||||||
|
|
||||||
|
if [ -z "$v" ]; then
|
||||||
|
echo "ran out of vault uneal keys at $i (VAULT_UNSEAL_KEY_$i is empty). terminating..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
vault useal "$v" > /dev/null
|
||||||
|
code=$?
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
echo "unseal returned a bad exit code ($code). terminating..."
|
||||||
|
exit $code
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ $st -eq 1 ]; then
|
||||||
|
echo "vault returned an error"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
Reference in New Issue
Block a user