infamousjoeg
12/10/2015 - 7:31 PM
Bash shell script to check seal status for local vault server and attempt to unseal using keys secured in vault secret store. Supports HA Va
Bash shell script to check seal status for local vault server and attempt to unseal using keys secured in vault secret store. Supports HA Vault clusters with TLS with unseal keys stored as secrets in vault (see code). Relies on registered service vault.service.consul, in place DNS configuration, and a single unsealed vault instance in your cluster in order to automatically unseal. Simple and should be easily adapted to your environment.
#!/bin/bash
export vault=/usr/local/bin/vault
export VAULT_TOKEN=$(cat /root/.vault-token)
vault_cacert='-ca-cert=/path/to/your/ca.pem'
local_vault="-address=https://$(hostname -f):8200"
unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul | tail -n 1) | awk '{ print $2 }'):8200"
leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200"
vault_read="$vault read $vault_cacert $leader_vault"
vault_unseal="$vault unseal $vault_cacert $local_vault"
vault_status="$vault status $vault_cacert $local_vault"
function check_unsealed(){
$vault_status &> /dev/null
if [[ ! $? == "0" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)."
exit 1
fi
}
function get_keys(){
vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null)
vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null)
vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null)
vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null)
vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null)
if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!"
exit 1
fi
}
function unseal_vault(){
$vault_unseal $vault_key_1 &> /dev/null;
status_1=$?
$vault_unseal $vault_key_2 &> /dev/null;
status_2=$?
$vault_unseal $vault_key_3 &> /dev/null;
status_3=$?
# Only need three to unseal
#$vault_unseal $vault_key_4 &> /dev/null;
#status_4=$?
#$vault_unseal $vault_key_5 &> /dev/null;
#status_5=$?
if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]] # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!"
exit 1
fi
}
function main(){
$vault_status &> /dev/null
if [[ $? == "0" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!"
exit 0
fi
if [[ -z "$unsealed_vault" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!"
exit 1
else
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..."
get_keys
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..."
unseal_vault
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..."
check_unsealed
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!"
fi
}
main
exit 0