ananke/internal/cluster/orchestrator_startup_vault.go

package cluster

import (
	"context"
	"fmt"
	"time"
)

// maybeRunEarlyVaultUnseal runs one orchestration or CLI step.
// Signature: (o *Orchestrator) maybeRunEarlyVaultUnseal(ctx context.Context).
// Why: gives startup a best-effort Vault recovery path when the API is already
// live, without consuming the hard startup failure path before workloads recover.
func (o *Orchestrator) maybeRunEarlyVaultUnseal(ctx context.Context) {
	if err := o.waitForAPI(ctx, 1, time.Second); err != nil {
		return
	}

	o.noteStartupCheckState("vault-unseal-early", "running", "best-effort early vault unseal while kubernetes api is already available")
	deferred, detail, err := o.ensureVaultUnsealedWhenRunnable(ctx)
	if err != nil {
		o.log.Printf("warning: early vault unseal deferred: %v", err)
		o.noteStartupAutoHeal(fmt.Sprintf("deferred early vault unseal: %v", err))
		return
	}
	if deferred {
		o.log.Printf("vault early unseal deferred: %s", detail)
		o.noteStartupAutoHeal(detail)
		return
	}
	o.noteStartupCheck("vault-unseal-early", true, "vault is already unsealed")
}

// runStartupVaultUnsealGate runs one orchestration or CLI step.
// Signature: (o *Orchestrator) runStartupVaultUnsealGate(ctx context.Context) error.
// Why: keeps the top-level startup flow readable while allowing Vault unseal to
// defer cleanly until critical workload recovery when the pod is not runnable yet.
func (o *Orchestrator) runStartupVaultUnsealGate(ctx context.Context) error {
	o.noteStartupCheckState("vault-unseal", "running", "ensuring vault is unsealed before startup gates")
	deferred, detail, err := o.ensureVaultUnsealedWhenRunnable(ctx)
	if err != nil {
		o.noteStartupCheck("vault-unseal", false, err.Error())
		return err
	}
	if deferred {
		o.log.Printf("vault unseal deferred until workload recovery: %s", detail)
		o.noteStartupAutoHeal(detail)
		o.noteStartupCheck("vault-unseal", true, detail)
		return nil
	}
	o.noteStartupCheck("vault-unseal", true, "vault is unsealed")
	return nil
}
startup(ananke): scope emergency recovery to core services 2026-05-05 05:17:59 -03:00			`package cluster`

			`import (`
			`"context"`
			`"fmt"`
			`"time"`
			`)`

			`// maybeRunEarlyVaultUnseal runs one orchestration or CLI step.`
			`// Signature: (o *Orchestrator) maybeRunEarlyVaultUnseal(ctx context.Context).`
			`// Why: gives startup a best-effort Vault recovery path when the API is already`
			`// live, without consuming the hard startup failure path before workloads recover.`
			`func (o *Orchestrator) maybeRunEarlyVaultUnseal(ctx context.Context) {`
			`if err := o.waitForAPI(ctx, 1, time.Second); err != nil {`
			`return`
			`}`

			`o.noteStartupCheckState("vault-unseal-early", "running", "best-effort early vault unseal while kubernetes api is already available")`
			`deferred, detail, err := o.ensureVaultUnsealedWhenRunnable(ctx)`
			`if err != nil {`
			`o.log.Printf("warning: early vault unseal deferred: %v", err)`
			`o.noteStartupAutoHeal(fmt.Sprintf("deferred early vault unseal: %v", err))`
			`return`
			`}`
			`if deferred {`
			`o.log.Printf("vault early unseal deferred: %s", detail)`
			`o.noteStartupAutoHeal(detail)`
			`return`
			`}`
			`o.noteStartupCheck("vault-unseal-early", true, "vault is already unsealed")`
			`}`

			`// runStartupVaultUnsealGate runs one orchestration or CLI step.`
			`// Signature: (o *Orchestrator) runStartupVaultUnsealGate(ctx context.Context) error.`
			`// Why: keeps the top-level startup flow readable while allowing Vault unseal to`
			`// defer cleanly until critical workload recovery when the pod is not runnable yet.`
			`func (o *Orchestrator) runStartupVaultUnsealGate(ctx context.Context) error {`
			`o.noteStartupCheckState("vault-unseal", "running", "ensuring vault is unsealed before startup gates")`
			`deferred, detail, err := o.ensureVaultUnsealedWhenRunnable(ctx)`
			`if err != nil {`
			`o.noteStartupCheck("vault-unseal", false, err.Error())`
			`return err`
			`}`
			`if deferred {`
			`o.log.Printf("vault unseal deferred until workload recovery: %s", detail)`
			`o.noteStartupAutoHeal(detail)`
			`o.noteStartupCheck("vault-unseal", true, detail)`
			`return nil`
			`}`
			`o.noteStartupCheck("vault-unseal", true, "vault is unsealed")`
			`return nil`
			`}`