ClarityStack/OPC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5009f6e6885eea9dc86dbe02a6441002ce31674b
OPC/infra/vault/entrypoint.sh
T
amadzarak 42383bdc03 OPC # 0001: Extract OPC into standalone repo
2026-04-25 18:05:57 -04:00

49 lines
1.6 KiB
Bash
Raw Blame History

#!/bin/sh
set -e
KEYS_FILE="/vault/file/init.json"
VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_ADDR
# Start Vault server in the background
vault server -config=/vault/config/vault.hcl &
VAULT_PID=$!
# Wait for Vault to be ready
echo "[vault-init] Waiting for Vault to start..."
until vault status > /dev/null 2>&1 || vault status 2>&1 | grep -q "Sealed\|Initialized"; do
sleep 1
done
echo "[vault-init] Vault is up."
# Check if already initialised
INIT_STATUS=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c "true" || true)
if [ "$INIT_STATUS" = "0" ]; then
echo "[vault-init] First run — initialising Vault..."
vault operator init -key-shares=1 -key-threshold=1 -format=json > "$KEYS_FILE"
echo "[vault-init] Keys saved to $KEYS_FILE"
fi
# Unseal using saved key
UNSEAL_KEY=$(grep '"unseal_keys_b64"' "$KEYS_FILE" -A1 | grep '"' | tail -1 | tr -d ' ",' )
ROOT_TOKEN=$(grep '"root_token"' "$KEYS_FILE" | sed 's/.*: *"\(.*\)".*/\1/')
echo "[vault-init] Unsealing..."
vault operator unseal "$UNSEAL_KEY"
echo "[vault-init] Vault is unsealed. Root token is stored in $KEYS_FILE"
# Authenticate and bootstrap Transit engine + master key (idempotent)
export VAULT_TOKEN="$ROOT_TOKEN"
echo "[vault-init] Enabling Transit secrets engine..."
vault secrets enable -path=clarity-transit transit 2>/dev/null || echo "[vault-init] clarity-transit already enabled."
echo "[vault-init] Creating master-key..."
vault write -f clarity-transit/keys/master-key 2>/dev/null || echo "[vault-init] master-key already exists."
echo "[vault-init] Vault bootstrap complete."
# Keep container alive by waiting on the Vault process
wait $VAULT_PID
Reference in New Issue View Git Blame Copy Permalink