Add pivault_unseal
pivaul_unseal automates the unsealing process for pivault. Since the primary vault is unsealed by pivault this is the only unseal script we should need.
This commit is contained in:
ducoterra
32
scripts/pivault_unseal.py
Executable file
32
scripts/pivault_unseal.py
Executable file
@@ -0,0 +1,32 @@
|
|||||||
|
#!/usr/bin/python3
|
||||||
|
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
import threading
|
||||||
|
|
||||||
|
vaults = ["vault-0"]
|
||||||
|
|
||||||
|
home = os.getenv("HOME")
|
||||||
|
with open(os.path.join(home, ".vault-keys/pivault-cluster-keys.json")) as f:
|
||||||
|
vault_secrets = json.load(f)
|
||||||
|
|
||||||
|
procs = []
|
||||||
|
|
||||||
|
for vault in vaults:
|
||||||
|
procs += [
|
||||||
|
threading.Thread(
|
||||||
|
target = subprocess.run,
|
||||||
|
args = (
|
||||||
|
["kubectl", "--context", "pikube.dnet-admin-pivault",
|
||||||
|
"exec", "-ti", vault, "--",
|
||||||
|
"vault", "operator", "unseal",
|
||||||
|
vault_secrets.get("unseal_keys_b64")[key]],))
|
||||||
|
for key in range(int(vault_secrets.get("unseal_threshold")))
|
||||||
|
]
|
||||||
|
|
||||||
|
for thread in procs:
|
||||||
|
thread.start()
|
||||||
|
|
||||||
|
for thread in procs:
|
||||||
|
thread.join()
|
||||||
Reference in New Issue
Block a user