Merge pull request 'feat: auto-unseal vault every hour' (#132) from neoloc/vault_unseal_check into develop

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/132
2024-08-06 22:51:54 +10:00 · 2024-08-06 22:51:54 +10:00 · 3ce2ec3754
commit 3ce2ec3754
parent 988e7c2a32 7863d54275
1 changed files with 10 additions and 0 deletions
--- a/site/profiles/manifests/vault/unseal.pp
+++ b/site/profiles/manifests/vault/unseal.pp
@ -34,4 +34,14 @@ class profiles::vault::unseal (
    require   => File['/usr/local/bin/vault-unseal.sh'],
    subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
  }
+
+  # restart the vault-unseal service hourly to ensure vault is unsealled
+  cron { 'restart_vault_unseal':
+    ensure  => 'present',
+    user    => 'root',
+    command => '/bin/systemctl restart vault-unseal',
+    minute  => fqdn_rand(60),
+    hour    => '*',
+    require => Service['vault-unseal'],
+  }
 }