1
0
Fork
You've already forked fleetlock-vault
0
Reboot coordinator for Fedora CoreOS nodes using the Zincati FleetLock protocol and Hashicorp Vault as backend
  • Python 95.5%
  • Dockerfile 4.5%
Renovate Bot 587f586eef
All checks were successful
/ validate (push) Successful in 41s
/ release (push) Successful in 46s
/ buildpush (push) Has been skipped
build(deps): update dependency uv to v0.9.26
2026年01月16日 11:16:39 +00:00
.forgejo/workflows ci(deps): update https://codeberg.org/umglurf/buildah-action digest to 0bb0dc9 2026年01月16日 09:17:48 +00:00
app feat: add support for health check urls 2024年01月09日 05:06:25 +01:00
LICENSES feat: add pre-commit and reuse setup 2024年01月07日 10:30:56 +01:00
tests chore(deps): upgrade httpx to 0.28.1 and respx to 0.22 2024年12月20日 05:19:50 +01:00
.gitignore feat: add pre-commit and reuse setup 2024年01月07日 10:30:56 +01:00
.pre-commit-config.yaml feat: add pre-commit and reuse setup 2024年01月07日 10:30:56 +01:00
.releaserc.json ci: update github plugin config to use successCommentCondition and failCommentCondition 2025年08月19日 05:57:19 +02:00
.releaserc.json.license ci: setup workflows 2024年01月07日 18:47:36 +01:00
Containerfile build(deps): update dependency uv to v0.9.26 2026年01月16日 11:16:39 +00:00
LICENSE Initial commit 2024年01月07日 09:22:34 +00:00
pyproject.toml chore(deps): update dependency fastapi to v0.128.0 2025年12月29日 09:15:47 +00:00
pytest.ini test: add pytest custom marker 2024年01月09日 05:11:16 +01:00
README.md build: change to uv from poetry 2024年09月04日 23:14:59 +02:00
renovate.json chore(renovate): simplify config and update schedule 2025年09月02日 04:56:25 +02:00
renovate.json.license ci: setup renovate 2024年01月07日 19:13:44 +01:00
uv.lock chore(deps): lock file maintenance 2026年01月05日 06:15:05 +00:00
uv.lock.license build: change to uv from poetry 2024年09月04日 23:14:59 +02:00

fleetlock-vault

Reboot coordinator for Fedora CoreOS nodes using the Zincati FleetLock protocol and Hashicorp Vault as backend

Configuration

The server is configured using environment variables, the following are supported

  • HEALTH_CHECK_URLS - Optional - A list of URLs to check before locking, each of which must return 200 in order to lock. This must be formatted as a json-list, for example in bash: 
    export HEALTH_CHECK_URLS='["https://example.com/health"]'`
  • LOG_LEVEL - Optional - The log level to use, one of debug, info, warning or error. Defaults to info
  • VAULT_ADDR - Required - The address of the vault server
  • VAULT_TOKEN - Optional - The optional vault token for authentication. Leave this unset if you are for instance using the vault agent in proxy mode
  • VAULT_ACTIVE_NODES - Optional - If this is set, a check is made that at least this number of vault nodes are active in the cluster before locking
  • VAULT_SECRET_PATH - Optional - The path where the kv2 secret backend is mounted. Defaults to secret
  • VAULT_SECRET_NAME - Optional - The name of the secret to use for the lock information. Defaults to fleetlock

Vault policy

The server must have access to vault with the following policy (replace VAULT_SECRET_PATH and VAULT_SECRET_NAME with the correct values):

path "VAULT_SECRET_PATH/data/VAULT_SECRET_NAME"
{
 capabilities = ["create", "read", "update"]
}

If you are using VAULT_ACTIVE_NODES you also need

path "sys/ha-status"
{
 capabilities = ["read"]
}

Development

You should install pre-commit and run pre-commit install

Install uv and run

uv sync --dev

Then to start the server, run

uv run uvicorn --reload app.main:app

Pytest

To run all tests, run

uv run pytest

Using vault dev instance

If you want to test using a development vault instance, start up the vault instance in dev mode and run

vault secrets enable -version=2 kv
export VAULT_ADDR=http://localhost:8200
export VAULT_SECRET_PATH=kv
read -p "vault token?" VAULT_TOKEN
export VAULT_TOKEN
uv run uvicorn --reload app.main:app