infamousjoeg
12/10/2015 - 7:31 PM

Bash shell script to check seal status for local vault server and attempt to unseal using keys secured in vault secret store. Supports HA Va

Bash shell script to check seal status for local vault server and attempt to unseal using keys secured in vault secret store. Supports HA Vault clusters with TLS with unseal keys stored as secrets in vault (see code). Relies on registered service vault.service.consul, in place DNS configuration, and a single unsealed vault instance in your cluster in order to automatically unseal. Simple and should be easily adapted to your environment.

#!/bin/bash

export vault=/usr/local/bin/vault
export VAULT_TOKEN=$(cat /root/.vault-token)
vault_cacert='-ca-cert=/path/to/your/ca.pem'
local_vault="-address=https://$(hostname -f):8200"
unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul  | tail -n 1) | awk '{ print $2 }'):8200"
leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200"
vault_read="$vault read $vault_cacert $leader_vault"
vault_unseal="$vault unseal $vault_cacert $local_vault"
vault_status="$vault status $vault_cacert $local_vault"


function check_unsealed(){
    $vault_status &> /dev/null
    if [[ ! $? == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)."
        exit 1
    fi
}

function get_keys(){
    vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null)
    vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null)
    vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null)
    vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null)
    vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null)
    if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!"
        exit 1
    fi
}

function unseal_vault(){
    $vault_unseal $vault_key_1 &> /dev/null;
    status_1=$?
    $vault_unseal $vault_key_2 &> /dev/null;
    status_2=$?
    $vault_unseal $vault_key_3 &> /dev/null;
    status_3=$?
    # Only need three to unseal
    #$vault_unseal $vault_key_4 &> /dev/null;
    #status_4=$?
    #$vault_unseal $vault_key_5 &> /dev/null;
    #status_5=$?
    if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]]    # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!"
        exit 1
    fi
}

function main(){
    $vault_status &> /dev/null
    if [[ $? == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!"
        exit 0
    fi
    if [[ -z "$unsealed_vault" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!"
        exit 1
    else
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..."
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..."
        get_keys
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..."
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..."
        unseal_vault
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..."
        check_unsealed
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!"
    fi
}

main
exit 0