Home Explore Help
Sign In
sarman
/
tftsr_ai
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 342cbd123d
Branches Tags
tftsr_ai
/
templates
/
vault
/
vault-unseal.sh.j2

vault-unseal.sh.j2 1.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142 
  1. #!/bin/bash
    2. 

  2. # Vault auto-unseal script — managed by Ansible, do not edit manually
    3. 

  3. # Reads unseal key from /etc/vault.d/unseal.key and unseals Vault
    4. 

  4. 

  5. set -e
    6. 

  6. 

  7. VAULT_ADDR="http://127.0.0.1:{{ vault_port }}"
    8. 

  8. UNSEAL_KEY_FILE="/etc/vault.d/unseal.key"
    9. 

  9. 

  10. if [ ! -f "$UNSEAL_KEY_FILE" ]; then
    11. 

  11.     echo "ERROR: unseal key not found at $UNSEAL_KEY_FILE"
    12. 

  12.     exit 1
    13. 

  13. fi
    14. 

  14. 

  15. UNSEAL_KEY=$(cat "$UNSEAL_KEY_FILE")
    16. 

  16. 

  17. if [ -z "$UNSEAL_KEY" ]; then
    18. 

  18.     echo "ERROR: unseal key file is empty"
    19. 

  19.     exit 1
    20. 

  20. fi
    21. 

  21. 

  22. # Wait for Vault API to become ready (up to 60 s)
    23. 

  23. for i in $(seq 1 30); do
    24. 

  24.     STATUS=$(curl -sf "${VAULT_ADDR}/v1/sys/health" 2>/dev/null || true)
    25. 

  25.     if [ -n "$STATUS" ]; then
    26. 

  26.         SEALED=$(echo "$STATUS" | jq -r '.sealed')
    27. 

  27.         if [ "$SEALED" = "false" ]; then
    28. 

  28.             echo "Vault is already unsealed."
    29. 

  29.             exit 0
    30. 

  30.         fi
    31. 

  31.         break
    32. 

  32.     fi
    33. 

  33.     echo "Waiting for Vault API... ($i/30)"
    34. 

  34.     sleep 2
    35. 

  35. done
    36. 

  36. 

  37. echo "Unsealing Vault..."
    38. 

  38. curl -sf -X PUT "${VAULT_ADDR}/v1/sys/unseal" \
    39. 

  39.     -H "Content-Type: application/json" \
    40. 

  40.     -d "{\"key\": \"${UNSEAL_KEY}\"}"
    41. 

  41. echo ""
    42. 

  42. echo "Vault unsealed successfully."
    43.