1
0
Fork 0
mirror of https://github.com/Luzifer/vault-unseal.git synced 2024-12-22 22:01:20 +00:00

Add support for multiple Vault instances

This commit is contained in:
Knut Ahlers 2016-08-15 16:28:08 +02:00
parent 2033f72ab2
commit d32407f43c
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E

112
main.go
View file

@ -3,19 +3,24 @@ package main // import "github.com/Jimdo/vault-unseal"
import ( import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"fmt"
"log" "log"
"net/http" "net/http"
"os" "os"
"sync"
"time" "time"
"golang.org/x/net/context"
"golang.org/x/net/context/ctxhttp"
"github.com/Luzifer/rconfig" "github.com/Luzifer/rconfig"
) )
var config = struct { var config = struct {
OneShot bool `flag:"oneshot,1" default:"false" description:"Only try once and exit after"` OneShot bool `flag:"oneshot,1" default:"false" description:"Only try once and exit after"`
SealTokens []string `flag:"tokens" default:"" description:"Tokens to try for unsealing the vault instance"` SealTokens []string `flag:"tokens" default:"" description:"Tokens to try for unsealing the vault instance"`
VaultInstance string `flag:"instance" env:"VAULT_ADDR" default:"http://127.0.0.1:8200" description:"Vault instance to unlock"` VaultInstances []string `flag:"instance" env:"VAULT_ADDR" default:"http://127.0.0.1:8200" description:"Vault instance to unlock"`
Sleep int `flag:"sleep" default:"30" description:"How long to wait between sealed-state checks"` Sleep int `flag:"sleep" default:"30" description:"How long to wait between sealed-state checks"`
}{} }{}
func init() { func init() {
@ -34,52 +39,21 @@ func init() {
} }
func main() { func main() {
timedClient := http.DefaultClient var wg sync.WaitGroup
timedClient.Timeout = 10 * time.Second
for { for {
s := sealStatus{} for i := range config.VaultInstances {
r, err := timedClient.Get(config.VaultInstance + "/v1/sys/seal-status") wg.Add(1)
if err != nil { go func(i int) {
log.Printf("An error ocurred while reading seal-status: %s\n", err) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
os.Exit(1)
}
defer r.Body.Close()
if err := json.NewDecoder(r.Body).Decode(&s); err != nil { defer wg.Done()
log.Printf("Unable to decode seal-status: %s\n", err) defer cancel()
os.Exit(1)
}
if s.Sealed { if err := unsealInstance(ctx, config.VaultInstances[i]); err != nil {
for _, token := range config.SealTokens { log.Printf("[ERR] %s", err)
log.Printf("Vault instance is sealed (missing %d tokens), trying to unlock...\n", s.T-s.Progress)
body := bytes.NewBuffer([]byte{})
json.NewEncoder(body).Encode(map[string]interface{}{
"key": token,
})
r, _ := http.NewRequest("PUT", config.VaultInstance+"/v1/sys/unseal", body)
resp, err := timedClient.Do(r)
if err != nil {
log.Printf("An error ocurred while doing unseal: %s\n", err)
os.Exit(1)
} }
defer resp.Body.Close() }(i)
if err := json.NewDecoder(resp.Body).Decode(&s); err != nil {
log.Printf("Unable to decode seal-status: %s\n", err)
os.Exit(1)
}
if !s.Sealed {
log.Printf("Unseal successfully finished.\n")
break
}
}
if s.Sealed {
log.Printf("Vault instance is still sealed (missing %d tokens), I don't have any more tokens.\n", s.T-s.Progress)
}
} }
if config.OneShot { if config.OneShot {
@ -88,4 +62,52 @@ func main() {
<-time.After(time.Duration(config.Sleep) * time.Second) <-time.After(time.Duration(config.Sleep) * time.Second)
} }
} }
wg.Wait()
}
func unsealInstance(ctx context.Context, instance string) error {
s := sealStatus{}
r, err := ctxhttp.Get(ctx, http.DefaultClient, instance+"/v1/sys/seal-status")
if err != nil {
return fmt.Errorf("[%s] An error ocurred while reading seal-status: %s", instance, err)
}
defer r.Body.Close()
if err := json.NewDecoder(r.Body).Decode(&s); err != nil {
return fmt.Errorf("[%s] Unable to decode seal-status: %s", instance, err)
}
if s.Sealed {
for _, token := range config.SealTokens {
log.Printf("[%s] Vault instance is sealed (missing %d tokens), trying to unlock...", instance, s.T-s.Progress)
body := bytes.NewBuffer([]byte{})
json.NewEncoder(body).Encode(map[string]interface{}{
"key": token,
})
r, _ := http.NewRequest("PUT", instance+"/v1/sys/unseal", body)
resp, err := ctxhttp.Do(ctx, http.DefaultClient, r)
if err != nil {
return fmt.Errorf("[%s] An error ocurred while doing unseal: %s", instance, err)
}
defer resp.Body.Close()
if err := json.NewDecoder(resp.Body).Decode(&s); err != nil {
return fmt.Errorf("[%s] Unable to decode seal-status: %s", instance, err)
}
if !s.Sealed {
log.Printf("[%s] Unseal successfully finished.", instance)
break
}
}
if s.Sealed {
log.Printf("[%s] Vault instance is still sealed (missing %d tokens), I don't have any more tokens.", instance, s.T-s.Progress)
}
} else {
log.Printf("[%s] Vault instance is already unsealed.", instance)
}
return nil
} }