Update to 2024-04-17 12:01

2025-07-27 16:25:56 +02:00 · 2024-04-17 12:01:07 +02:00
parent 024be47049
commit d5a00e4130
5 changed files with 32 additions and 0 deletions
--- a/roles/vault/templates/unseal
+++ b/roles/vault/templates/unseal
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+export VAULT_ADDR={{ vault_conf.api_addr }}
+
+UNSEAL='{% if vault_unseal_keys | length > 0 %}{{ vault_unseal_keys | join(',') }}{% endif %}'
+STATUS=$(vault status -format json)
+
+if [ "$(echo ${STATUS} | jq -r .initialized)" != "true" ]; then
+  echo "Vault not initialized yet"
+  exit 0
+fi
+
+if [ "$(echo ${STATUS} | jq -r .sealed)" != "true" ]; then
+  echo "Vault not sealed, nothing to do"
+  exit 0
+fi
+
+for KEY in $(echo ${UNSEAL} | sed -E 's/,/\n/g'); do
+  vault operator unseal "${KEY}"
+done
--- a/roles/vault/templates/vault.service.j2
+++ b/roles/vault/templates/vault.service.j2
@@ -22,6 +22,9 @@ CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes
 ExecStart=/usr/local/bin/vault server -config={{ vault_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
+{%- if vault_unseal_keys | length > 0 +%}
+ExecStartPost=!{{ vault_root_dir }}/bin/unseal }}
+{%- endif +%}
 KillMode=process
 KillSignal=SIGINT
 Restart=on-failure