pdehlke · May 11, 2017 18:29 · Dec 10, 2015
diff --git a/vaultsealmanager.sh b/vaultsealmanager.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+export vault=/usr/local/bin/vault
+export VAULT_TOKEN=$(cat /root/.vault-token)
+vault_cacert='-ca-cert=/path/to/your/ca.pem'
+local_vault="-address=https://$(hostname -f):8200"
+unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul  | tail -n 1) | awk '{ print $2 }'):8200"
+leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200"
+vault_read="$vault read $vault_cacert $leader_vault"
+vault_unseal="$vault unseal $vault_cacert $local_vault"
+vault_status="$vault status $vault_cacert $local_vault"
+
+
+function check_unsealed(){
+    $vault_status &> /dev/null
+    if [[ ! $? == "0" ]]
+    then
+        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)."
+        exit 1
+    fi
+}
+
+function get_keys(){
+    vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null)
+    vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null)
+    vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null)
+    vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null)
+    vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null)
+    if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]]
+    then
+        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!"
+        exit 1
+    fi
+}
+
+function unseal_vault(){
+    $vault_unseal $vault_key_1 &> /dev/null;
+    status_1=$?
+    $vault_unseal $vault_key_2 &> /dev/null;
+    status_2=$?
+    $vault_unseal $vault_key_3 &> /dev/null;
+    status_3=$?
+    # Only need three to unseal
+    #$vault_unseal $vault_key_4 &> /dev/null;
+    #status_4=$?
+    #$vault_unseal $vault_key_5 &> /dev/null;
+    #status_5=$?
+    if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]]    # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]]
+    then
+        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!"
+        exit 1
+    fi
+}
+
+function main(){
+    $vault_status &> /dev/null
+    if [[ $? == "0" ]]
+    then
+        echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!"
+        exit 0
+    fi
+    if [[ -z "$unsealed_vault" ]]
+    then
+        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!"
+        exit 1
+    else
+        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..."
+        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..."
+        get_keys
+        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..."
+        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..."
+        unseal_vault
+        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..."
+        check_unsealed
+        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!"
+    fi
+}
+
+main
+exit 0
No results found