feat: ensure vault restarts with ssl cert

- ensure the vault service resource subscribes to the ssl crt/key
- update unseal script to retry unseal process until it completes
This commit is contained in:
2024-10-27 12:59:36 +11:00
parent 09a448ea52
commit ca87702466
2 changed files with 31 additions and 16 deletions
@@ -5,19 +5,24 @@
VAULT_ADDR='<%= @vault_address %>'
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'
# Check if Vault is sealed
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
if [ "$is_sealed" != "true" ]; then
echo "Vault is already unsealed."
exit 0
fi
while true; do
# Check if Vault is sealed
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
if [ "$is_sealed" == "false" ]; then
echo "Vault is already unsealed."
break
fi
# Retrieve unseal keys from plaintext file
unseal_keys=$(cat "$UNSEAL_KEYS_FILE")
# Retrieve unseal keys from plaintext file
unseal_keys=$(cat "$UNSEAL_KEYS_FILE")
# Loop through the unseal keys and use them to unseal Vault
for key in $unseal_keys; do
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
# Loop through the unseal keys and use them to unseal Vault
for key in $unseal_keys; do
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
done
echo "Attempted to unseal Vault. Checking if still sealed..."
sleep 1
done
echo "Vault has been unsealed."