init

2025-12-06 14:45:37 +01:00 · 2017-01-16 12:17:22 -06:00
commit dcb9105bcd
3 changed files with 61 additions and 0 deletions
--- a/6
+++ b/6
@@ -0,0 +1,6 @@
+FROM vault:0.6.4
+MAINTAINER blockloop
+
+ADD ./vault-unseal.sh /vault-unseal.sh
+
+CMD ["/vault-unseal.sh"]
--- a/README.md
+++ b/README.md
@@ -0,0 +1,21 @@
+# Vault Unsealer for Docker
+
+Unseal a [vault](https://www.vaultproject.io) with a docker container given only environment variables.
+
+![](https://img.shields.io/docker/pulls/blockloop/vault-unseal-docker.svg)
+
+This project was initially created to run as a kubernetes job to unseal a vault within the same cluster. This gives you the ability to pass env variables to a docker container and have it unseal a vault with the given keys. This image is based on the official vault image so many of the variables are the same. 
+
+`VAULT_ADDR` - the location of the vault server. You must specify the protocol (i.e. VAULT_ADDR=http://vault:8200)
+
+`VAULT_UNSEAL_KEY_X` - this is the format of the unseal keys. In Kubernetes these are stored in a secret store and mounted to the Vault Unsealer Job as environment variables.
+
+This container will loop up to 20 times, as many times as it can until vault is either unsealed or it returns an error. Each time it loops it checks the vault status and then, if the vault is still sealed, it runs `unseal` with the next key, or if it is unsealed, it exists 0. 
+
+## Instructions
+
+1. Set vault key environment variables  as `VAULT_UNSEAL_KEY_1`, `VAULT_UNSEAL_KEY_2`, etc. 
+2. Set vault key address as `VAULT_ADDR`
+3. Optionally set `VAULT_SKIP_VERIFY` to 1. 
+4. Check the [vault docs](https://www.vaultproject.io/docs/commands/environment.html) on environment variables to see all of your options. 
+5. Run the container and watch it unseal your vault.
--- a/vault-unseal.sh
+++ b/vault-unseal.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+for i in {1..20}; do
+    # https://github.com/hashicorp/vault/blob/c44f1c9817955d4c7cd5822a19fb492e1c2d0c54/command/status.go#L107
+    # code reflects the seal status (0 unsealed, 2 sealed, 1 error).
+    vault status;
+    st=$?
+
+    if [ $st -eq 0 ]; then
+        echo "vault is unsealed"
+        exit 0
+    elif [ $st -eq 2 ]; then
+        echo "vault is sealed"
+        echo "unsealing with key $i"
+        v="VAULT_UNSEAL_KEY_$i"
+        v="${!v}"
+
+        if [ -z "$v" ]; then
+            echo "ran out of vault uneal keys at $i (VAULT_UNSEAL_KEY_$i is empty). terminating..."
+            exit 1
+        fi
+
+        vault useal "$v" > /dev/null
+        code=$?
+        if [ $? -ne 0 ] ; then
+            echo "unseal returned a bad exit code ($code). terminating..."
+            exit $code
+        fi
+
+    elif [ $st -eq 1 ]; then
+        echo "vault returned an error"
+        exit 1
+    fi
+done