-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathentrypoint.sh
More file actions
executable file
·71 lines (64 loc) · 2.94 KB
/
entrypoint.sh
File metadata and controls
executable file
·71 lines (64 loc) · 2.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/sh
# =============================================================================
# Vault container entrypoint
# Runs as the vault user (UID 100) inside the container.
# Responsibilities:
# 1. Wait for TLS material to be available
# 2. Render runtime-specific values into vault.hcl
# 3. Ensure runtime directories exist
# 4. Start the Vault server
# =============================================================================
set -eu
CONFIG_SRC="/vault/config-template/vault.hcl"
CONFIG_DST="/vault/config-rendered/vault.hcl"
CERTS_DIR="/vault/certs"
HOSTNAME="${VAULT_HOSTNAME:-vault.internal}"
API_ADDR="${VAULT_API_ADDR:-https://${HOSTNAME}:8200}"
CLUSTER_ADDR="${VAULT_CLUSTER_ADDR:-https://vault-server:8201}"
NODE_ID="${VAULT_NODE_ID:-vault-node-1}"
escape_sed_replacement() {
printf '%s' "$1" | sed 's/[\/&]/\\&/g'
}
echo "[entrypoint] Vault hostname: ${HOSTNAME}"
echo "[entrypoint] Vault API address: ${API_ADDR}"
echo "[entrypoint] Vault cluster address: ${CLUSTER_ADDR}"
echo "[entrypoint] Vault node ID: ${NODE_ID}"
# ---------------------------------------------------------------------------
# 1. Wait for TLS certificates (generated or externally provided)
# ---------------------------------------------------------------------------
echo "[entrypoint] Waiting for TLS certificates..."
WAIT=0
until [ -r "${CERTS_DIR}/vault.crt" ] && [ -r "${CERTS_DIR}/vault.key" ] && [ -r "${CERTS_DIR}/ca.crt" ]; do
WAIT=$((WAIT + 1))
if [ "${WAIT}" -gt 30 ]; then
echo "[entrypoint] ERROR: TLS files not readable after 30 seconds. Aborting."
exit 1
fi
echo "[entrypoint] TLS files not ready yet, retrying in 1s... (${WAIT}/30)"
sleep 1
done
echo "[entrypoint] TLS files found."
# ---------------------------------------------------------------------------
# 2. Render runtime values into the HCL config
# ---------------------------------------------------------------------------
mkdir -p /vault/config-rendered
sed \
-e "s/VAULT_API_ADDR_PLACEHOLDER/$(escape_sed_replacement "${API_ADDR}")/g" \
-e "s/VAULT_CLUSTER_ADDR_PLACEHOLDER/$(escape_sed_replacement "${CLUSTER_ADDR}")/g" \
-e "s/VAULT_NODE_ID_PLACEHOLDER/$(escape_sed_replacement "${NODE_ID}")/g" \
"${CONFIG_SRC}" > "${CONFIG_DST}"
echo "[entrypoint] Config written to ${CONFIG_DST}"
# ---------------------------------------------------------------------------
# 3. Ensure log directory is writable
# ---------------------------------------------------------------------------
mkdir -p /vault/logs
mkdir -p /vault/data
chmod 700 /vault/logs
chmod 700 /vault/data
# ---------------------------------------------------------------------------
# 4. Hand off to the official Vault entrypoint
# The official image's CMD is: vault server -config=/vault/config
# We exec it directly so signals (SIGTERM) propagate correctly.
# ---------------------------------------------------------------------------
echo "[entrypoint] Starting Vault server..."
exec vault server -config="${CONFIG_DST}"