GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions

feat: use secrets file for Vault auto-unseal (more secure)

Browse source 
- VAULT_UNSEAL_KEYS_FILE points to /opt/gbo/secrets/vault-unseal-keys
- Unseal keys stored in separate file with chmod 600
- Not in .env (which might be in git, logs, etc.)
- Output shows step-by-step setup instructions
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2025-12-19 11:36:00 -03:00
parent 38ff9cb8aa
commit a711f1e28a
1 changed files with 20 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
src/core/package_manager/facade.rs
View file

@ -314,23 +314,15 @@ impl PackageManager {
let mut env_vars = HashMap::new(); let mut env_vars = HashMap::new();
let connection_info = match component { let connection_info = match component {
"vault" => { "vault" => {
// Only Vault returns .env variables // Only Vault returns .env variables (VAULT_ADDR, VAULT_TOKEN, VAULT_UNSEAL_KEYS_FILE)
env_vars.insert("VAULT_ADDR".to_string(), format!("http://{}:8200", ip)); env_vars.insert("VAULT_ADDR".to_string(), format!("http://{}:8200", ip));
env_vars.insert( env_vars.insert(
"VAULT_TOKEN".to_string(), "VAULT_TOKEN".to_string(),
"<root-token-from-init>".to_string(), "<root-token-from-init>".to_string(),
); );
env_vars.insert( env_vars.insert(
"VAULT_UNSEAL_KEY_1".to_string(), "VAULT_UNSEAL_KEYS_FILE".to_string(),
"<unseal-key-1>".to_string(), "/opt/gbo/secrets/vault-unseal-keys".to_string(),
);
env_vars.insert(
"VAULT_UNSEAL_KEY_2".to_string(),
"<unseal-key-2>".to_string(),
);
env_vars.insert(
"VAULT_UNSEAL_KEY_3".to_string(),
"<unseal-key-3>".to_string(),
); );
format!( format!(
r#"Vault Server: r#"Vault Server:
@ -341,16 +333,27 @@ To initialize Vault (first time only):
lxc exec {}-vault -- /opt/gbo/bin/vault operator init lxc exec {}-vault -- /opt/gbo/bin/vault operator init
This will output 5 unseal keys and 1 root token. This will output 5 unseal keys and 1 root token.
Copy at least 3 unseal keys to your .env file for auto-unseal on restart. Save at least 3 unseal keys to the secrets file for auto-unseal on restart.
Add to your .env file: Step 1: Add to your .env file:
VAULT_ADDR=http://{}:8200 VAULT_ADDR=http://{}:8200
VAULT_TOKEN=<root-token-from-init> VAULT_TOKEN=<root-token-from-init>
VAULT_UNSEAL_KEY_1=<unseal-key-1> VAULT_UNSEAL_KEYS_FILE=/opt/gbo/secrets/vault-unseal-keys
VAULT_UNSEAL_KEY_2=<unseal-key-2>
VAULT_UNSEAL_KEY_3=<unseal-key-3>
botserver will automatically unseal Vault on startup using these keys."#, Step 2: Create secrets file (chmod 600 for security):
mkdir -p /opt/gbo/secrets
cat > /opt/gbo/secrets/vault-unseal-keys << 'EOF'
VAULT_UNSEAL_KEY_1=<unseal-key-1-from-init>
VAULT_UNSEAL_KEY_2=<unseal-key-2-from-init>
VAULT_UNSEAL_KEY_3=<unseal-key-3-from-init>
EOF
chmod 600 /opt/gbo/secrets/vault-unseal-keys
chown root:root /opt/gbo/secrets/vault-unseal-keys
botserver will automatically unseal Vault on startup using keys from this file.
For other auto-unseal options (TPM, HSM, Transit), see:
https://generalbots.github.io/botbook/chapter-08/secrets-management.html"#,
ip, ip, self.tenant, ip ip, ip, self.tenant, ip
) )
} }