From 99af68deb228405fb407705399e3c50fd986c263 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Murat=20=C3=96ZDEM=C4=B0R?= <muratozdemir@tarla.io>
Date: Fri, 12 Jun 2026 09:42:10 +0300
Subject: [PATCH] feat(vault): Add cluster health check to skip bootstrap

Integrates `vault-check-health.sh` into `vault-bootstrap.sh` to perform a network-based health check. If all Vault nodes are found initialized and unsealed, the bootstrap process is skipped, preventing unnecessary restarts or re-initialization.

Renames `failover_scenarios.md` to `vault_failover_scenarios.md` for improved clarity and consistency.
---
 vault-bootstrap.sh                            | 10 ++++++
 vault-check-health.sh                         | 34 +++++++++++++++++++
 ...cenarios.md => vault_failover_scenarios.md |  0
 3 files changed, 44 insertions(+)
 create mode 100755 vault-check-health.sh
 rename failover_scenarios.md => vault_failover_scenarios.md (100%)

diff --git a/vault-bootstrap.sh b/vault-bootstrap.sh
index 027ac53..d19c474 100755
--- a/vault-bootstrap.sh
+++ b/vault-bootstrap.sh
@@ -89,6 +89,16 @@ docker node ls &>/dev/null || fail "Swarm manager node is required"
 [ -f "$STACK_FILE" ]       || fail "Stack file not found: $STACK_FILE"
 ok "Prerequisites completed"
 
+# ━━━ NEW: Cluster Health Check ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Check if the cluster is already healthy to avoid unnecessary restarts
+if bash "$(dirname "$0")/vault-check-health.sh"; then
+    echo
+    echo "════════════════════════════════════════════════"
+    echo "  CLUSTER ALREADY HEALTHY — Skipping Bootstrap"
+    echo "════════════════════════════════════════════════"
+    exit 0
+fi
+
 # ━━━ STEP 1 — Placeholder secret ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 step "STEP 1 — Checking vault_unseal_key"
 if docker secret ls --format '{{.Name}}' | grep -q '^vault_unseal_key'; then
diff --git a/vault-check-health.sh b/vault-check-health.sh
new file mode 100755
index 0000000..a71899e
--- /dev/null
+++ b/vault-check-health.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# vault-check-health.sh — Verifies cluster health over the network (no token required).
+# Returns 0 (success) if all 3 nodes are initialized and unsealed.
+
+VAULT_NODES=("vault-1.iklim.co" "vault-2.iklim.co" "vault-3.iklim.co")
+HEALTHY_COUNT=0
+
+echo "  --> Starting cluster health check (network-based)..."
+
+for node in "${VAULT_NODES[@]}"; do
+    # Check the /v1/sys/health endpoint for each node.
+    # 200: Initialized, unsealed, active
+    # 429: Initialized, unsealed, standby
+    # 501: Not initialized
+    # 503: Sealed
+    
+    status_code=$(docker run --rm --network iklimco-net alpine/curl -s -o /dev/null -w "%{http_code}" \
+        --max-time 3 -k "https://${node}:8200/v1/sys/health" || echo "000")
+
+    if [ "$status_code" = "200" ] || [ "$status_code" = "429" ]; then
+        echo "      [✓] $node: Healthy (Status: $status_code)"
+        HEALTHY_COUNT=$((HEALTHY_COUNT + 1))
+    else
+        echo "      [!] $node: Problematic or Not Responding (Status: $status_code)"
+    fi
+done
+
+if [ "$HEALTHY_COUNT" -eq 3 ]; then
+    echo "  --> Result: All nodes (3/3) are healthy."
+    exit 0
+else
+    echo "  --> Result: Cluster is not fully healthy ($HEALTHY_COUNT/3)."
+    exit 1
+fi
diff --git a/failover_scenarios.md b/vault_failover_scenarios.md
similarity index 100%
rename from failover_scenarios.md
rename to vault_failover_scenarios.md