From 775d8b52f3e435d904bc7d898b04b1f36d116d80 Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Tue, 5 May 2026 11:46:16 +0200 Subject: [PATCH] fix(vault): prevent CPU-burning init loop with marker file + idempotent checks Root cause: init scripts ran repeatedly (on container restart) and tried vault secrets enable / vault auth enable for already-existing paths. Vault logged ERRORs and burned 40-84% CPU in the loop. Fix: - Marker file /vault/data/.init-complete skips re-initialization - vault secrets list / vault auth list checks before enable calls - No more "path already in use" errors on subsequent runs Co-Authored-By: Claude Opus 4.6 (1M context) --- vault/init-pki.sh | 18 +++++++++++++++--- vault/init-secrets.sh | 8 ++++++-- vault/init-vault.sh | 11 +++++++++++ 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/vault/init-pki.sh b/vault/init-pki.sh index bab270c..8cb105e 100755 --- a/vault/init-pki.sh +++ b/vault/init-pki.sh @@ -34,7 +34,11 @@ mkdir -p /vault/certs # Step 1: Enable PKI Secrets Engine (Root CA) # ================================================ echo "Enabling Root CA PKI engine..." -vault secrets enable -path=pki pki 2>/dev/null || echo "PKI engine already enabled" +if ! vault secrets list -format=json 2>/dev/null | grep -q '"pki/"'; then + vault secrets enable -path=pki pki +else + echo "PKI engine already enabled — skipping" +fi # Set max lease TTL to 10 years for root CA vault secrets tune -max-lease-ttl=87600h pki @@ -59,7 +63,11 @@ vault write pki/config/urls \ # Step 2: Enable PKI Secrets Engine (Intermediate CA) # ================================================ echo "Enabling Intermediate CA PKI engine..." -vault secrets enable -path=pki_int pki 2>/dev/null || echo "Intermediate PKI engine already enabled" +if ! vault secrets list -format=json 2>/dev/null | grep -q '"pki_int/"'; then + vault secrets enable -path=pki_int pki +else + echo "Intermediate PKI engine already enabled — skipping" +fi # Set max lease TTL to 5 years for intermediate vault secrets tune -max-lease-ttl=43800h pki_int @@ -142,7 +150,11 @@ EOF # ================================================ echo "Creating AppRole for certificate management..." -vault auth enable approle 2>/dev/null || echo "AppRole already enabled" +if ! vault auth list -format=json 2>/dev/null | grep -q '"approle/"'; then + vault auth enable approle +else + echo "AppRole already enabled — skipping" +fi # Create role for nginx certificate management vault write auth/approle/role/breakpilot-nginx \ diff --git a/vault/init-secrets.sh b/vault/init-secrets.sh index 64f8429..b01d20a 100755 --- a/vault/init-secrets.sh +++ b/vault/init-secrets.sh @@ -24,8 +24,12 @@ done echo "Vault is ready. Initializing secrets..." -# Enable KV v2 secrets engine at 'secret/' (usually enabled in dev mode) -vault secrets enable -version=2 -path=secret kv 2>/dev/null || echo "KV engine already enabled" +# Enable KV v2 secrets engine at 'secret/' (only if not already enabled) +if ! vault secrets list -format=json 2>/dev/null | grep -q '"secret/"'; then + vault secrets enable -version=2 -path=secret kv +else + echo "KV engine already enabled — skipping" +fi # ================================================ # API Keys (PLACEHOLDER - Replace in production!) diff --git a/vault/init-vault.sh b/vault/init-vault.sh index 5ab582a..9683e06 100755 --- a/vault/init-vault.sh +++ b/vault/init-vault.sh @@ -4,6 +4,7 @@ set -e export VAULT_ADDR="http://vault:8200" KEYS_FILE="/vault/data/init-keys.json" +INIT_MARKER="/vault/data/.init-complete" echo "=== Vault Init/Unseal ===" echo "Waiting for Vault to be ready..." @@ -39,6 +40,12 @@ chmod 600 /vault/data/root-token echo "=== Vault ready (persistent file storage) ===" +# Skip PKI + secrets init if already completed (prevents repeated mount-enable errors) +if [ -f "$INIT_MARKER" ]; then + echo "PKI + secrets already initialized (marker: $INIT_MARKER). Skipping." + exit 0 +fi + # Run PKI init if [ -f /vault/scripts/init-pki.sh ]; then echo "Running PKI initialization..." @@ -50,3 +57,7 @@ if [ -f /vault/scripts/init-secrets.sh ]; then echo "Running secrets initialization..." sh /vault/scripts/init-secrets.sh fi + +# Mark initialization as complete +touch "$INIT_MARKER" +echo "Init marker written: $INIT_MARKER"