mirror of
https://github.com/Luzifer/vault-unseal.git
synced 2024-12-22 22:01:20 +00:00
Add support for multiple Vault instances
This commit is contained in:
parent
2033f72ab2
commit
d32407f43c
1 changed files with 67 additions and 45 deletions
106
main.go
106
main.go
|
@ -3,18 +3,23 @@ package main // import "github.com/Jimdo/vault-unseal"
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"golang.org/x/net/context"
|
||||||
|
"golang.org/x/net/context/ctxhttp"
|
||||||
|
|
||||||
"github.com/Luzifer/rconfig"
|
"github.com/Luzifer/rconfig"
|
||||||
)
|
)
|
||||||
|
|
||||||
var config = struct {
|
var config = struct {
|
||||||
OneShot bool `flag:"oneshot,1" default:"false" description:"Only try once and exit after"`
|
OneShot bool `flag:"oneshot,1" default:"false" description:"Only try once and exit after"`
|
||||||
SealTokens []string `flag:"tokens" default:"" description:"Tokens to try for unsealing the vault instance"`
|
SealTokens []string `flag:"tokens" default:"" description:"Tokens to try for unsealing the vault instance"`
|
||||||
VaultInstance string `flag:"instance" env:"VAULT_ADDR" default:"http://127.0.0.1:8200" description:"Vault instance to unlock"`
|
VaultInstances []string `flag:"instance" env:"VAULT_ADDR" default:"http://127.0.0.1:8200" description:"Vault instance to unlock"`
|
||||||
Sleep int `flag:"sleep" default:"30" description:"How long to wait between sealed-state checks"`
|
Sleep int `flag:"sleep" default:"30" description:"How long to wait between sealed-state checks"`
|
||||||
}{}
|
}{}
|
||||||
|
|
||||||
|
@ -34,52 +39,21 @@ func init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
timedClient := http.DefaultClient
|
var wg sync.WaitGroup
|
||||||
timedClient.Timeout = 10 * time.Second
|
|
||||||
|
|
||||||
for {
|
for {
|
||||||
s := sealStatus{}
|
for i := range config.VaultInstances {
|
||||||
r, err := timedClient.Get(config.VaultInstance + "/v1/sys/seal-status")
|
wg.Add(1)
|
||||||
if err != nil {
|
go func(i int) {
|
||||||
log.Printf("An error ocurred while reading seal-status: %s\n", err)
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
defer r.Body.Close()
|
|
||||||
|
|
||||||
if err := json.NewDecoder(r.Body).Decode(&s); err != nil {
|
defer wg.Done()
|
||||||
log.Printf("Unable to decode seal-status: %s\n", err)
|
defer cancel()
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
|
|
||||||
if s.Sealed {
|
if err := unsealInstance(ctx, config.VaultInstances[i]); err != nil {
|
||||||
for _, token := range config.SealTokens {
|
log.Printf("[ERR] %s", err)
|
||||||
log.Printf("Vault instance is sealed (missing %d tokens), trying to unlock...\n", s.T-s.Progress)
|
|
||||||
body := bytes.NewBuffer([]byte{})
|
|
||||||
json.NewEncoder(body).Encode(map[string]interface{}{
|
|
||||||
"key": token,
|
|
||||||
})
|
|
||||||
r, _ := http.NewRequest("PUT", config.VaultInstance+"/v1/sys/unseal", body)
|
|
||||||
resp, err := timedClient.Do(r)
|
|
||||||
if err != nil {
|
|
||||||
log.Printf("An error ocurred while doing unseal: %s\n", err)
|
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
defer resp.Body.Close()
|
|
||||||
|
|
||||||
if err := json.NewDecoder(resp.Body).Decode(&s); err != nil {
|
|
||||||
log.Printf("Unable to decode seal-status: %s\n", err)
|
|
||||||
os.Exit(1)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !s.Sealed {
|
|
||||||
log.Printf("Unseal successfully finished.\n")
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if s.Sealed {
|
|
||||||
log.Printf("Vault instance is still sealed (missing %d tokens), I don't have any more tokens.\n", s.T-s.Progress)
|
|
||||||
}
|
}
|
||||||
|
}(i)
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.OneShot {
|
if config.OneShot {
|
||||||
|
@ -88,4 +62,52 @@ func main() {
|
||||||
<-time.After(time.Duration(config.Sleep) * time.Second)
|
<-time.After(time.Duration(config.Sleep) * time.Second)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
wg.Wait()
|
||||||
|
}
|
||||||
|
|
||||||
|
func unsealInstance(ctx context.Context, instance string) error {
|
||||||
|
s := sealStatus{}
|
||||||
|
r, err := ctxhttp.Get(ctx, http.DefaultClient, instance+"/v1/sys/seal-status")
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("[%s] An error ocurred while reading seal-status: %s", instance, err)
|
||||||
|
}
|
||||||
|
defer r.Body.Close()
|
||||||
|
|
||||||
|
if err := json.NewDecoder(r.Body).Decode(&s); err != nil {
|
||||||
|
return fmt.Errorf("[%s] Unable to decode seal-status: %s", instance, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if s.Sealed {
|
||||||
|
for _, token := range config.SealTokens {
|
||||||
|
log.Printf("[%s] Vault instance is sealed (missing %d tokens), trying to unlock...", instance, s.T-s.Progress)
|
||||||
|
body := bytes.NewBuffer([]byte{})
|
||||||
|
json.NewEncoder(body).Encode(map[string]interface{}{
|
||||||
|
"key": token,
|
||||||
|
})
|
||||||
|
r, _ := http.NewRequest("PUT", instance+"/v1/sys/unseal", body)
|
||||||
|
resp, err := ctxhttp.Do(ctx, http.DefaultClient, r)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("[%s] An error ocurred while doing unseal: %s", instance, err)
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if err := json.NewDecoder(resp.Body).Decode(&s); err != nil {
|
||||||
|
return fmt.Errorf("[%s] Unable to decode seal-status: %s", instance, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !s.Sealed {
|
||||||
|
log.Printf("[%s] Unseal successfully finished.", instance)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if s.Sealed {
|
||||||
|
log.Printf("[%s] Vault instance is still sealed (missing %d tokens), I don't have any more tokens.", instance, s.T-s.Progress)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
log.Printf("[%s] Vault instance is already unsealed.", instance)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue