Skip to content

fix(setup): retry vault status and unseal during first-run init#3680

Open
shayan1995 wants to merge 1 commit into
NVIDIA:mainfrom
shayan1995:snamaghi/issue-3129-vault-status-retry
Open

fix(setup): retry vault status and unseal during first-run init#3680
shayan1995 wants to merge 1 commit into
NVIDIA:mainfrom
shayan1995:snamaghi/issue-3129-vault-status-retry

Conversation

@shayan1995

Copy link
Copy Markdown
Contributor

On a fresh cluster, Vault pods reach the Initialized condition before Vault's listener accepts connections, so the single-shot vault status in helm-prereqs/unseal_vault.sh (stderr suppressed, exit code discarded) could return empty output and abort setup.sh with "Unable to retrieve Vault status from vault-0" even though the pods were healthy. Re-running setup.sh on the same cluster succeeded, as reported in #3129.

Changes:

  • New _vault_status_json helper retries vault status (tunable via VAULT_STATUS_RETRIES / VAULT_STATUS_SLEEP_SECONDS, default 36×5s) and validates the JSON payload (.initialized/.sealed booleans) before use, tolerating Vault's nonzero exit codes for sealed/uninitialized states. On exhaustion it prints the last stdout/stderr instead of a generic message.
  • Fixes a silent failure in unseal_pod: a failed status probe previously produced empty JSON and the pod was skipped as "already unsealed"; it now fails loudly.
  • The unseal key sequence is retried (VAULT_UNSEAL_ROUNDS, default 3) and the pod is verified to actually report unsealed, since the unseal nonce can reset mid-sequence and discard submitted key shares (visible in the issue's logs).

Related issues

Fixes #3129

Type of Change

  • Add - New feature or capability
  • Change - Changes in existing functionality
  • Fix - Bug fixes
  • Remove - Removed features or deprecated functionality
  • Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

  • This PR contains breaking changes

Testing

  • Unit tests added/updated
  • Integration tests added/updated
  • Manual testing performed
  • No testing required (docs, internal refactor, etc.)

bash -n clean. (TODO before submitting: re-run setup.sh on a fresh 3-node cluster matching the issue's repro to confirm first-run init now succeeds; the script paths were reviewed but not executed against a live vault.)

@shayan1995
shayan1995 requested a review from a team as a code owner July 17, 2026 18:27
@copy-pr-bot

copy-pr-bot Bot commented Jul 17, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2f8615e5-24dd-4810-b40b-57ed4fce4494

📥 Commits

Reviewing files that changed from the base of the PR and between ac25d0c and 0b5b200.

📒 Files selected for processing (1)
  • helm-prereqs/unseal_vault.sh

Summary by CodeRabbit

  • Bug Fixes
    • Improved Vault initialization and readiness checks with env-configurable polling retries and sleep delays.
    • Added stricter validation of Vault status (initialized/sealed) and improved diagnostics by showing the last captured output on failure.
    • Enhanced unsealing robustness by status-driven behavior: skipping already-unsealed pods and performing unseal attempts in multiple rounds, rechecking sealed state after each round.

Walkthrough

The Vault setup script polls validated status JSON before proceeding and uses configurable multi-round unsealing. Pods already unsealed are skipped, while sealed pods receive all keys repeatedly until unsealed or the configured limit is exhausted.

Changes

Vault initialization and unsealing

Layer / File(s) Summary
Vault status readiness polling
helm-prereqs/unseal_vault.sh
Adds configurable status retries and delays, validates boolean initialized and sealed fields, and uses the polling helper for vault-0.
Status-driven unseal rounds
helm-prereqs/unseal_vault.sh
Skips already-unsealed pods and retries complete unseal-key sequences for sealed pods up to VAULT_UNSEAL_ROUNDS.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant SetupScript
  participant Kubectl
  participant VaultPod

  SetupScript->>Kubectl: Poll vault status
  Kubectl->>VaultPod: Execute status query
  VaultPod-->>Kubectl: Return validated status JSON
  Kubectl-->>SetupScript: Report initialized and sealed state
  SetupScript->>Kubectl: Submit unseal keys
  Kubectl->>VaultPod: Apply keys 1 through 3
  VaultPod-->>SetupScript: Return updated sealed state
  SetupScript->>Kubectl: Retry key sequence if still sealed
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately captures the main change: retrying Vault status and unseal logic during first-run setup.
Description check ✅ Passed The description is directly about the Vault startup race and the retry/unseal fixes in this PR.
Linked Issues check ✅ Passed The changes address #3129 by adding Vault status retries, JSON validation, and repeated unseal verification for first-run setup.
Out of Scope Changes check ✅ Passed The changes stay within the Vault initialization and unseal fix and do not introduce unrelated scope.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm-prereqs/unseal_vault.sh`:
- Around line 34-36: Validate VAULT_STATUS_RETRIES and VAULT_UNSEAL_ROUNDS
immediately after their defaults are assigned and before either value is passed
to seq; require positive integers, including rejecting zero, negatives, and
malformed strings. On invalid input, exit with a clear message identifying the
offending variable and expected format, while leaving VAULT_STATUS_SLEEP_SECONDS
behavior unchanged.
- Line 94: Update the unseal retry loop surrounding _vault_status_json and the
unseal submission commands so a failed kubectl exec vault operator unseal is
caught instead of terminating the script under set -e. Break the current
share-processing round on failure, then recheck Vault status before starting the
next retry round.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 26bf7fc1-deaa-4d9d-a743-f83e42d056b8

📥 Commits

Reviewing files that changed from the base of the PR and between 0cd8acb and 6241a00.

📒 Files selected for processing (1)
  • helm-prereqs/unseal_vault.sh

Comment thread helm-prereqs/unseal_vault.sh
Comment thread helm-prereqs/unseal_vault.sh
On a fresh cluster, vault pods reach the Initialized condition before
the Vault listener accepts connections, so the single-shot
'vault status' in unseal_vault.sh (with stderr suppressed and its exit
code discarded) could return empty output and abort setup.sh with
"Unable to retrieve Vault status from vault-0" even though the pods
were healthy. Re-running setup.sh on the same cluster succeeded, as
reported in NVIDIA#3129.

Changes:
- Add _vault_status_json: retries 'vault status' (tunable via
  VAULT_STATUS_RETRIES / VAULT_STATUS_SLEEP_SECONDS, default 36x5s)
  and validates the JSON payload before use, tolerating vault's
  nonzero exit codes for sealed/uninitialized states. On exhaustion it
  prints the last stdout/stderr instead of a generic message.
- Fix a silent failure in unseal_pod: a failed status probe previously
  produced empty JSON and the pod was skipped as "already unsealed";
  it now fails loudly.
- Retry the full unseal key sequence (VAULT_UNSEAL_ROUNDS, default 3)
  and verify the pod actually reports unsealed, since the unseal nonce
  can reset mid-sequence and discard submitted key shares (visible in
  the issue's logs). A failed unseal exec within a round logs and
  falls through to the status check instead of aborting under set -e.
- Validate the retry tunables as positive integers up front and
  document them in the script header.

Verified on a fresh 3-node cluster (dev6): first-run init + unseal
completed and setup.sh proceeded past phase [4/6].

Fixes NVIDIA#3129

Signed-off-by: Shayan Namaghi <snamaghi@nvidia.com>
@shayan1995
shayan1995 force-pushed the snamaghi/issue-3129-vault-status-retry branch from ac25d0c to 0b5b200 Compare July 17, 2026 20:51
@github-actions

Copy link
Copy Markdown

🔍 Container Scan Summary

Service Total Critical High Medium Low Other
boot-artifacts-aarch64 3 0 0 3 0 0
boot-artifacts-x86_64 3 0 0 3 0 0
forge-admin-cli-x86_64 259 16 29 79 7 128
machine-validation-runner 532 39 113 184 15 181
machine_validation 532 39 113 184 15 181
machine_validation-aarch64 532 39 113 184 15 181
nvmetal-carbide 532 39 113 184 15 181
TOTAL 2393 172 481 821 67 852

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: In setup.sh vault initialization fails causing setup.sh to fail

1 participant