{"id":25115722,"url":"https://github.com/devops-rob/vault-unsealer","last_synced_at":"2025-04-02T11:41:25.768Z","repository":{"id":231701931,"uuid":"782465717","full_name":"devops-rob/vault-unsealer","owner":"devops-rob","description":"An auto-unseal tool for HashiCorp Vault","archived":false,"fork":false,"pushed_at":"2024-04-05T11:48:41.000Z","size":10,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-04-05T12:38:47.886Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devops-rob.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-04-05T11:07:40.000Z","updated_at":"2024-04-05T12:38:54.389Z","dependencies_parsed_at":"2024-04-05T12:48:54.853Z","dependency_job_id":null,"html_url":"https://github.com/devops-rob/vault-unsealer","commit_stats":null,"previous_names":["devops-rob/vault-unseal"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-unsealer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-unsealer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-unsealer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-unsealer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devops-rob","download_url":"https://codeload.github.com/devops-rob/vault-unsealer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246811183,"owners_count":20837745,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-08T02:33:49.094Z","updated_at":"2025-04-02T11:41:25.263Z","avatar_url":"https://github.com/devops-rob.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vaulter Unsealer\n\nA tool to implement auto-unsealing of HashiCorp Vault nodes. \n\n_**NOTE: This is designed as a workflow Proof of Concept. Production use of Vault Unsealer is discouraged at present.**_\n\n# Configuration\n\nVault Unsealer takes a `.json` configuration file with the following configuration parameters:\n\n- `log_level` _(type: string, required: false)_ - This sets the servers log level output. Supported values are `trace`, `debug`, `info`, `warn`, and `err`. The default log level is `info`.\n- `probe_interval` _(type: int, required: true)_ - This specifies the frequency of the Vault seal status probe check in seconds.\n- `nodes` _(type: []string, required: true)_ - This is a list of Vault server nodes that Vault Unsealer will manage the seal status of.\n- `unseal_keys` _(type: []string, required: true)_ - A list of Vault unseal keys that can be used to unseal Vault. The number of keys in this list should be equal to or greater than the unseal threshold required for your Vault cluster.\n\n**Example Configuration**\n\n```json\n{\n  \"log_level\": \"debug\",\n  \"probe_interval\": 10,\n  \"nodes\": [\n    \"http://192.168.1.141:8200\",\n    \"http://192.168.1.142:8200\",\n    \"http://192.168.1.143:8200\"\n  ],\n  \"unseal_keys\": [\n    \"aa109356340az6f2916894c2e538f7450412056cea4c45b3dd4ae1f9c840befc1a\",\n    \"4948bcfe36834c8e6861f8144672cb804610967c7afb0588cfd03217b4354a8c35\",\n    \"7b5802f21b19s522444e2723a31cb07d5a3de60fbc37d21f918f998018b6e7ce8b\"\n  ]\n}\n```\n\n# Usage\n\n### Docker\n\n```shell\ndocker run -v $(pwd)/example.json:/app/config.json \\\n  devopsrob/vault-unsealer:0.1 /app/vault-unsealer\n```\n\n### Nomad (Docker Job)\n\nThis example stores the unseal keys in encrypted Nomad variables and uses Nomad templating to render the config file.\n\n```hcl\njob \"vault-unsealer\" {\n  namespace   = \"vault-cluster\"\n  datacenters = [\"dc1\"]\n  type        = \"service\"\n  node_pool   = \"vault-servers\"\n\n  group \"vault-unsealer\" {\n    count = 1\n\n    constraint {\n      attribute = \"${node.class}\"\n      value     = \"vault-servers\"\n    }\n\n    task \"vault-unsealer\" {\n      driver = \"docker\"\n\n      config {\n        image      = \"devopsrob/vault-unsealer:0.2\"\n\n\n        command = \"./vault-unsealer\"\n        volumes = [\n          \"local/config:/app/config\"\n        ]\n      }\n\n      template {\n        data = \u003c\u003cEOH\n\n{\n  \"log_level\": \"debug\",\n  \"probe_interval\": 10,\n  \"nodes\": [\n{{- $nodes := nomadService \"vault\" }}\n{{- range $i, $e := $nodes }}\n    {{- if $i }},{{ end }}\n    \"http://{{ .Address }}:{{ .Port }}\"\n{{- end }}\n  ],\n  \"unseal_keys\": [\n    {{- with nomadVar \"nomad/jobs/vault-unsealer\" }}\n    \"{{ .key1 }}\"\n    , \"{{ .key2 }}\"\n    , \"{{ .key3 }}\"\n    {{- end }}\n  ]\n}\nEOH\n\n        destination = \"local/config/config.json\"\n        change_mode = \"noop\"\n      }\n\n      resources {\n        cpu    = 100\n        memory = 512\n\n      }\n\n      affinity {\n        attribute = \"${meta.node_id}\"\n        value     = \"${NOMAD_ALLOC_ID}\"\n        weight    = 100\n      }\n    }\n  }\n}\n```\n\n# Best Practice Tip\n\nVault unsealer requires unseal keys which are highly sensitive pieces of data. It is recommended that the config file is rendered with the unseal keys values coming from an encrypted store that you trust. The Nomad job usage above is an example of how to achieve this.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-rob%2Fvault-unsealer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevops-rob%2Fvault-unsealer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-rob%2Fvault-unsealer/lists"}