From dcb9105bcd219620c10f67d0c38c30c2c91a006b Mon Sep 17 00:00:00 2001
From: Brett Jones <bjones027+noreply@gmail.com>
Date: Mon, 16 Jan 2017 12:17:22 -0600
Subject: [PATCH] init

---
 Dockerfile      |  6 ++++++
 README.md       | 21 +++++++++++++++++++++
 vault-unseal.sh | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100755 vault-unseal.sh

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..90033b8
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,6 @@
+FROM vault:0.6.4
+MAINTAINER blockloop
+
+ADD ./vault-unseal.sh /vault-unseal.sh
+
+CMD ["/vault-unseal.sh"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f90d26f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,21 @@
+# Vault Unsealer for Docker
+
+Unseal a [vault](https://www.vaultproject.io) with a docker container given only environment variables.
+
+![](https://img.shields.io/docker/pulls/blockloop/vault-unseal-docker.svg)
+
+This project was initially created to run as a kubernetes job to unseal a vault within the same cluster. This gives you the ability to pass env variables to a docker container and have it unseal a vault with the given keys. This image is based on the official vault image so many of the variables are the same. 
+
+`VAULT_ADDR` - the location of the vault server. You must specify the protocol (i.e. VAULT_ADDR=http://vault:8200)
+
+`VAULT_UNSEAL_KEY_X` - this is the format of the unseal keys. In Kubernetes these are stored in a secret store and mounted to the Vault Unsealer Job as environment variables.
+
+This container will loop up to 20 times, as many times as it can until vault is either unsealed or it returns an error. Each time it loops it checks the vault status and then, if the vault is still sealed, it runs `unseal` with the next key, or if it is unsealed, it exists 0. 
+
+## Instructions
+
+1. Set vault key environment variables  as `VAULT_UNSEAL_KEY_1`, `VAULT_UNSEAL_KEY_2`, etc. 
+2. Set vault key address as `VAULT_ADDR`
+3. Optionally set `VAULT_SKIP_VERIFY` to 1. 
+4. Check the [vault docs](https://www.vaultproject.io/docs/commands/environment.html) on environment variables to see all of your options. 
+5. Run the container and watch it unseal your vault.
\ No newline at end of file
diff --git a/vault-unseal.sh b/vault-unseal.sh
new file mode 100755
index 0000000..b6bab63
--- /dev/null
+++ b/vault-unseal.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+for i in {1..20}; do
+    # https://github.com/hashicorp/vault/blob/c44f1c9817955d4c7cd5822a19fb492e1c2d0c54/command/status.go#L107
+    # code reflects the seal status (0 unsealed, 2 sealed, 1 error).
+    vault status;
+    st=$?
+
+    if [ $st -eq 0 ]; then
+        echo "vault is unsealed"
+        exit 0
+    elif [ $st -eq 2 ]; then
+        echo "vault is sealed"
+        echo "unsealing with key $i"
+        v="VAULT_UNSEAL_KEY_$i"
+        v="${!v}"
+
+        if [ -z "$v" ]; then
+            echo "ran out of vault uneal keys at $i (VAULT_UNSEAL_KEY_$i is empty). terminating..."
+            exit 1
+        fi
+
+        vault useal "$v" > /dev/null
+        code=$?
+        if [ $? -ne 0 ] ; then
+            echo "unseal returned a bad exit code ($code). terminating..."
+            exit $code
+        fi
+
+    elif [ $st -eq 1 ]; then
+        echo "vault returned an error"
+        exit 1
+    fi
+done