fix(vault): prevent CPU-burning init loop with marker file + idempotent checks

Root cause: init scripts ran repeatedly (on container restart) and tried vault secrets enable / vault auth enable for already-existing paths. Vault logged ERRORs and burned 40-84% CPU in the loop. Fix: - Marker file /vault/data/.init-complete skips re-initialization - vault secrets list / vault auth list checks before enable calls - No more "path already in use" errors on subsequent runs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-05 11:46:16 +02:00
parent 64f45be63a
commit 775d8b52f3
3 changed files with 32 additions and 5 deletions
@@ -34,7 +34,11 @@ mkdir -p /vault/certs
 # Step 1: Enable PKI Secrets Engine (Root CA)
 # ================================================
 echo "Enabling Root CA PKI engine..."
-vault secrets enable -path=pki pki 2>/dev/null || echo "PKI engine already enabled"
+if ! vault secrets list -format=json 2>/dev/null | grep -q '"pki/"'; then
+  vault secrets enable -path=pki pki
+else
+  echo "PKI engine already enabled — skipping"
+fi

 # Set max lease TTL to 10 years for root CA
 vault secrets tune -max-lease-ttl=87600h pki
@@ -59,7 +63,11 @@ vault write pki/config/urls \
 # Step 2: Enable PKI Secrets Engine (Intermediate CA)
 # ================================================
 echo "Enabling Intermediate CA PKI engine..."
-vault secrets enable -path=pki_int pki 2>/dev/null || echo "Intermediate PKI engine already enabled"
+if ! vault secrets list -format=json 2>/dev/null | grep -q '"pki_int/"'; then
+  vault secrets enable -path=pki_int pki
+else
+  echo "Intermediate PKI engine already enabled — skipping"
+fi

 # Set max lease TTL to 5 years for intermediate
 vault secrets tune -max-lease-ttl=43800h pki_int
@@ -142,7 +150,11 @@ EOF
 # ================================================
 echo "Creating AppRole for certificate management..."

-vault auth enable approle 2>/dev/null || echo "AppRole already enabled"
+if ! vault auth list -format=json 2>/dev/null | grep -q '"approle/"'; then
+  vault auth enable approle
+else
+  echo "AppRole already enabled — skipping"
+fi

 # Create role for nginx certificate management
 vault write auth/approle/role/breakpilot-nginx \