fix: pass VAULT_ADDR inside container via bash -c
- env() on Command only sets host env, not container env - Use bash -c with VAULT_ADDR=... prefix for init and unseal commands
This commit is contained in:
parent
f20d662941
commit
9a3ac6141e
1 changed files with 10 additions and 17 deletions
|
|
@ -316,19 +316,16 @@ impl PackageManager {
|
||||||
std::thread::sleep(std::time::Duration::from_secs(5));
|
std::thread::sleep(std::time::Duration::from_secs(5));
|
||||||
|
|
||||||
// Initialize Vault and capture output
|
// Initialize Vault and capture output
|
||||||
|
// Note: VAULT_ADDR must be set inside the container, not on host
|
||||||
let output = Command::new("lxc")
|
let output = Command::new("lxc")
|
||||||
.args(&[
|
.args(&[
|
||||||
"exec",
|
"exec",
|
||||||
container_name,
|
container_name,
|
||||||
"--",
|
"--",
|
||||||
"/opt/gbo/bin/vault",
|
"bash",
|
||||||
"operator",
|
"-c",
|
||||||
"init",
|
"VAULT_ADDR=http://127.0.0.1:8200 /opt/gbo/bin/vault operator init -key-shares=5 -key-threshold=3 -format=json",
|
||||||
"-key-shares=5",
|
|
||||||
"-key-threshold=3",
|
|
||||||
"-format=json",
|
|
||||||
])
|
])
|
||||||
.env("VAULT_ADDR", format!("http://127.0.0.1:8200"))
|
|
||||||
.output()?;
|
.output()?;
|
||||||
|
|
||||||
if !output.status.success() {
|
if !output.status.success() {
|
||||||
|
|
@ -405,20 +402,16 @@ impl PackageManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Unseal Vault with the first 3 keys
|
// Unseal Vault with the first 3 keys
|
||||||
|
// Note: VAULT_ADDR must be set inside the container, not on host
|
||||||
for i in 0..3 {
|
for i in 0..3 {
|
||||||
if let Some(key) = unseal_keys.get(i) {
|
if let Some(key) = unseal_keys.get(i) {
|
||||||
let key_str = key.as_str().unwrap_or("");
|
let key_str = key.as_str().unwrap_or("");
|
||||||
|
let unseal_cmd = format!(
|
||||||
|
"VAULT_ADDR=http://127.0.0.1:8200 /opt/gbo/bin/vault operator unseal {}",
|
||||||
|
key_str
|
||||||
|
);
|
||||||
let unseal_output = Command::new("lxc")
|
let unseal_output = Command::new("lxc")
|
||||||
.args(&[
|
.args(&["exec", container_name, "--", "bash", "-c", &unseal_cmd])
|
||||||
"exec",
|
|
||||||
container_name,
|
|
||||||
"--",
|
|
||||||
"/opt/gbo/bin/vault",
|
|
||||||
"operator",
|
|
||||||
"unseal",
|
|
||||||
key_str,
|
|
||||||
])
|
|
||||||
.env("VAULT_ADDR", "http://127.0.0.1:8200")
|
|
||||||
.output()?;
|
.output()?;
|
||||||
|
|
||||||
if !unseal_output.status.success() {
|
if !unseal_output.status.success() {
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue