From 966d76b43b6c861e3a7d287d16104b0b75abe686 Mon Sep 17 00:00:00 2001
From: "Kai (via Mike Darlington)" <kai@darlington.dev>
Date: Mon, 16 Feb 2026 15:25:25 +0000
Subject: [PATCH] fix: add retry logic to vault-entrypoint secret fetching

Secrets may not be immediately available after Alexandria's health endpoint
responds. Add retry loop (10 attempts, 2s delay) to handle startup race.
---
 deploy/vault-entrypoint.sh | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/deploy/vault-entrypoint.sh b/deploy/vault-entrypoint.sh
index d57a3ab..80bda2a 100755
--- a/deploy/vault-entrypoint.sh
+++ b/deploy/vault-entrypoint.sh
@@ -61,11 +61,23 @@ for mapping in $VAULT_SECRETS; do
   secret_name=$(echo "$mapping" | cut -d: -f1)
   env_var=$(echo "$mapping" | cut -d: -f2)
 
-  value=$(http_get "$VAULT_URL/api/v1/secrets/$secret_name" "X-Agent-ID: $VAULT_AGENT_ID" \
-    | sed -n 's/.*"value"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+  value=""
+  retries=0
+  max_retries=10
+  while [ -z "$value" ] && [ "$retries" -lt "$max_retries" ]; do
+    value=$(http_get "$VAULT_URL/api/v1/secrets/$secret_name" "X-Agent-ID: $VAULT_AGENT_ID" \
+      | sed -n 's/.*"value"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+    if [ -z "$value" ]; then
+      retries=$((retries + 1))
+      if [ "$retries" -lt "$max_retries" ]; then
+        echo "[vault-entrypoint] Secret '$secret_name' not available yet, retrying ($retries/$max_retries)..."
+        sleep 2
+      fi
+    fi
+  done
 
   if [ -z "$value" ]; then
-    echo "[vault-entrypoint] ERROR: Failed to fetch secret '$secret_name'"
+    echo "[vault-entrypoint] ERROR: Failed to fetch secret '$secret_name' after $max_retries attempts"
     exit 1
   fi