fix(vault): prevent CPU-burning init loop with marker file + idempotent checks

Root cause: init scripts ran repeatedly (on container restart) and tried vault secrets enable / vault auth enable for already-existing paths. Vault logged ERRORs and burned 40-84% CPU in the loop. Fix: - Marker file /vault/data/.init-complete skips re-initialization - vault secrets list / vault auth list checks before enable calls - No more "path already in use" errors on subsequent runs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-05 11:46:16 +02:00
parent 64f45be63a
commit 775d8b52f3
3 changed files with 32 additions and 5 deletions
@@ -4,6 +4,7 @@ set -e

 export VAULT_ADDR="http://vault:8200"
 KEYS_FILE="/vault/data/init-keys.json"
+INIT_MARKER="/vault/data/.init-complete"

 echo "=== Vault Init/Unseal ==="
 echo "Waiting for Vault to be ready..."
@@ -39,6 +40,12 @@ chmod 600 /vault/data/root-token

 echo "=== Vault ready (persistent file storage) ==="

+# Skip PKI + secrets init if already completed (prevents repeated mount-enable errors)
+if [ -f "$INIT_MARKER" ]; then
+  echo "PKI + secrets already initialized (marker: $INIT_MARKER). Skipping."
+  exit 0
+fi
+
 # Run PKI init
 if [ -f /vault/scripts/init-pki.sh ]; then
  echo "Running PKI initialization..."
@@ -50,3 +57,7 @@ if [ -f /vault/scripts/init-secrets.sh ]; then
  echo "Running secrets initialization..."
  sh /vault/scripts/init-secrets.sh
 fi
+
+# Mark initialization as complete
+touch "$INIT_MARKER"
+echo "Init marker written: $INIT_MARKER"