From 5d9c7a4fa4c410842a953fd0aefbaacc1d977316 Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Tue, 25 Nov 2025 10:42:56 +0900
Subject: [PATCH] feat(vault): add `vault::unseal`

---
 docs/troubleshooting.md | 25 ++++++++++++++++++++++++-
 vault/justfile          | 30 ++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index cdf8406..5ae79f4 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -29,6 +29,7 @@ Vault automatically seals itself when:
 
 - The Vault pod is restarted
 - The node where Vault is running is restarted
+- The machine is rebooted
 - Vault encounters certain error conditions
 
 When sealed, Vault cannot decrypt its data and all operations are blocked.
@@ -43,7 +44,23 @@ Unseal Vault using your unseal key:
 2. Enter your unseal key in the web interface
 3. Click "Unseal"
 
-**Option 2: Using kubectl**
+**Option 2: Using just recipe (Recommended)**
+
+```bash
+just vault::unseal
+```
+
+This recipe will prompt for the unseal key interactively. You can also set the `VAULT_UNSEAL_KEY` environment variable to avoid entering it repeatedly:
+
+```bash
+# Set in .env.local
+VAULT_UNSEAL_KEY=your-unseal-key-here
+
+# Or use 1Password reference
+VAULT_UNSEAL_KEY=op://vault/unseal/key
+```
+
+**Option 3: Using kubectl**
 
 ```bash
 # Get the unseal key from your secure storage
@@ -53,6 +70,12 @@ UNSEAL_KEY="your-unseal-key-here"
 kubectl exec -n vault vault-0 -- vault operator unseal "${UNSEAL_KEY}"
 ```
 
+After unsealing, restart the External Secrets Operator to ensure it reconnects properly:
+
+```bash
+kubectl rollout restart -n external-secrets deploy/external-secrets
+```
+
 #### Prevention
 
 **Important**: Store your Vault unseal key and root token securely. You will need them whenever Vault is sealed.
diff --git a/vault/justfile b/vault/justfile
index a58700f..7a13731 100644
--- a/vault/justfile
+++ b/vault/justfile
@@ -474,6 +474,36 @@ write-policy name file:
 login:
     @vault login -method=oidc
 
+# Unseal Vault
+unseal:
+    #!/bin/bash
+    set -euo pipefail
+
+    if [ -z "${VAULT_UNSEAL_KEY:-}" ]; then
+        if [ "${VAULT_DEBUG}" = "true" ]; then
+            echo "" >&2
+            echo "💡 To avoid entering unseal key repeatedly:" >&2
+            echo "   • Set environment variable: export VAULT_UNSEAL_KEY=your_unseal_key" >&2
+            echo "   • or write it in .env.local file: VAULT_UNSEAL_KEY=your_unseal_key" >&2
+            echo "   • Use 1Password reference: VAULT_UNSEAL_KEY=op://vault/unseal/key" >&2
+            echo "" >&2
+        fi
+        VAULT_UNSEAL_KEY=$(gum input --prompt="Vault unseal key: " --password --width=100)
+    elif [[ "${VAULT_UNSEAL_KEY}" == op://* ]]; then
+        if ! command -v op &>/dev/null; then
+            echo "Error: 1Password CLI (op) is not installed." >&2
+            echo "" >&2
+            echo "To use 1Password secret references (op://...), please install the 1Password CLI:" >&2
+            echo "  https://developer.1password.com/docs/cli/get-started/" >&2
+            exit 1
+        fi
+        VAULT_UNSEAL_KEY=$(op read "${VAULT_UNSEAL_KEY}")
+    fi
+
+    echo "Unsealing Vault..."
+    kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- vault operator unseal "${VAULT_UNSEAL_KEY}"
+    echo "✓ Vault unsealed successfully"
+
 # NOTE: Vault monitoring is not supported
 # Reason: Prometheus ServiceMonitor does not support custom HTTP headers (X-Vault-Token)
 # Alternative: Use Vault Exporter or manual Prometheus scrape_configs