baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(vault): add vault::unseal

Browse Source
This commit is contained in:
Masaki Yatsu
2025-11-25 10:42:56 +09:00
parent 41f2ee2edc
commit 5d9c7a4fa4
2 changed files with 54 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docs/troubleshooting.md
View File

@@ -29,6 +29,7 @@ Vault automatically seals itself when:
- The Vault pod is restarted - The Vault pod is restarted
- The node where Vault is running is restarted - The node where Vault is running is restarted
- The machine is rebooted
- Vault encounters certain error conditions - Vault encounters certain error conditions
When sealed, Vault cannot decrypt its data and all operations are blocked. When sealed, Vault cannot decrypt its data and all operations are blocked.
@@ -43,7 +44,23 @@ Unseal Vault using your unseal key:
2. Enter your unseal key in the web interface 2. Enter your unseal key in the web interface
3. Click "Unseal" 3. Click "Unseal"
**Option 2: Using kubectl** **Option 2: Using just recipe (Recommended)**
```bash
just vault::unseal
```
This recipe will prompt for the unseal key interactively. You can also set the `VAULT_UNSEAL_KEY` environment variable to avoid entering it repeatedly:
```bash
# Set in .env.local
VAULT_UNSEAL_KEY=your-unseal-key-here
# Or use 1Password reference
VAULT_UNSEAL_KEY=op://vault/unseal/key
```
**Option 3: Using kubectl**
```bash ```bash
# Get the unseal key from your secure storage # Get the unseal key from your secure storage
@@ -53,6 +70,12 @@ UNSEAL_KEY="your-unseal-key-here"
kubectl exec -n vault vault-0 -- vault operator unseal "${UNSEAL_KEY}" kubectl exec -n vault vault-0 -- vault operator unseal "${UNSEAL_KEY}"
``` ```
After unsealing, restart the External Secrets Operator to ensure it reconnects properly:
```bash
kubectl rollout restart -n external-secrets deploy/external-secrets
```
#### Prevention #### Prevention
**Important**: Store your Vault unseal key and root token securely. You will need them whenever Vault is sealed. **Important**: Store your Vault unseal key and root token securely. You will need them whenever Vault is sealed.

30
vault/justfile
View File

@@ -474,6 +474,36 @@ write-policy name file:
login: login:
@vault login -method=oidc @vault login -method=oidc
# Unseal Vault
unseal:
#!/bin/bash
set -euo pipefail
if [ -z "${VAULT_UNSEAL_KEY:-}" ]; then
if [ "${VAULT_DEBUG}" = "true" ]; then
echo "" >&2
echo "💡 To avoid entering unseal key repeatedly:" >&2
echo " • Set environment variable: export VAULT_UNSEAL_KEY=your_unseal_key" >&2
echo " • or write it in .env.local file: VAULT_UNSEAL_KEY=your_unseal_key" >&2
echo " • Use 1Password reference: VAULT_UNSEAL_KEY=op://vault/unseal/key" >&2
echo "" >&2
fi
VAULT_UNSEAL_KEY=$(gum input --prompt="Vault unseal key: " --password --width=100)
elif [[ "${VAULT_UNSEAL_KEY}" == op://* ]]; then
if ! command -v op &>/dev/null; then
echo "Error: 1Password CLI (op) is not installed." >&2
echo "" >&2
echo "To use 1Password secret references (op://...), please install the 1Password CLI:" >&2
echo " https://developer.1password.com/docs/cli/get-started/" >&2
exit 1
fi
VAULT_UNSEAL_KEY=$(op read "${VAULT_UNSEAL_KEY}")
fi
echo "Unsealing Vault..."
kubectl exec -n ${K8S_VAULT_NAMESPACE} vault-0 -- vault operator unseal "${VAULT_UNSEAL_KEY}"
echo "✓ Vault unsealed successfully"
# NOTE: Vault monitoring is not supported # NOTE: Vault monitoring is not supported
# Reason: Prometheus ServiceMonitor does not support custom HTTP headers (X-Vault-Token) # Reason: Prometheus ServiceMonitor does not support custom HTTP headers (X-Vault-Token)
# Alternative: Use Vault Exporter or manual Prometheus scrape_configs # Alternative: Use Vault Exporter or manual Prometheus scrape_configs