From 5fd36e94bb23ab7e23955d05abc2d06eae22a3f2 Mon Sep 17 00:00:00 2001 From: dev-qwen2 Date: Thu, 16 Apr 2026 19:32:21 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20lib/hvault.sh=20uses=20secret/=20mount?= =?UTF-8?q?=20prefix=20but=20migration=20policies=20use=20kv/=20=E2=80=94?= =?UTF-8?q?=20agents=20will=20get=20403=20(#890)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: - Add VAULT_KV_MOUNT env var (default: kv) to make KV mount configurable - Update hvault_kv_get to use ${VAULT_KV_MOUNT}/data/${path} - Update hvault_kv_put to use ${VAULT_KV_MOUNT}/data/${path} - Update hvault_kv_list to use ${VAULT_KV_MOUNT}/metadata/${path} - Update tests to use kv/ paths instead of secret/ This ensures agents can read/write secrets using the same mount point that the Nomad+Vault migration policies grant ACL for. --- lib/hvault.sh | 11 ++++++++--- tests/lib-hvault.bats | 6 +++--- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/lib/hvault.sh b/lib/hvault.sh index c0e8f23..ec7fa7e 100644 --- a/lib/hvault.sh +++ b/lib/hvault.sh @@ -100,6 +100,11 @@ _hvault_request() { # ── Public API ─────────────────────────────────────────────────────────────── +# VAULT_KV_MOUNT — KV v2 mount point (default: "kv") +# Override with: export VAULT_KV_MOUNT=secret +# Used by: hvault_kv_get, hvault_kv_put, hvault_kv_list +: "${VAULT_KV_MOUNT:=kv}" + # hvault_kv_get PATH [KEY] # Read a KV v2 secret at PATH, optionally extract a single KEY. # Outputs: JSON value (full data object, or single key value) @@ -114,7 +119,7 @@ hvault_kv_get() { _hvault_check_prereqs "hvault_kv_get" || return 1 local response - response="$(_hvault_request GET "secret/data/${path}")" || return 1 + response="$(_hvault_request GET "${VAULT_KV_MOUNT}/data/${path}")" || return 1 if [ -n "$key" ]; then printf '%s' "$response" | jq -e -r --arg key "$key" '.data.data[$key]' 2>/dev/null || { @@ -154,7 +159,7 @@ hvault_kv_put() { payload="$(printf '%s' "$payload" | jq --arg k "$k" --arg v "$v" '.data[$k] = $v')" done - _hvault_request POST "secret/data/${path}" "$payload" >/dev/null + _hvault_request POST "${VAULT_KV_MOUNT}/data/${path}" "$payload" >/dev/null } # hvault_kv_list PATH @@ -170,7 +175,7 @@ hvault_kv_list() { _hvault_check_prereqs "hvault_kv_list" || return 1 local response - response="$(_hvault_request LIST "secret/metadata/${path}")" || return 1 + response="$(_hvault_request LIST "${VAULT_KV_MOUNT}/metadata/${path}")" || return 1 printf '%s' "$response" | jq -e '.data.keys' 2>/dev/null || { _hvault_err "hvault_kv_list" "failed to parse response" "path=$path" diff --git a/tests/lib-hvault.bats b/tests/lib-hvault.bats index 628bc99..2d779dc 100644 --- a/tests/lib-hvault.bats +++ b/tests/lib-hvault.bats @@ -126,7 +126,7 @@ setup() { @test "hvault_policy_apply creates a policy" { local pfile="${BATS_TEST_TMPDIR}/test-policy.hcl" cat > "$pfile" <<'HCL' -path "secret/data/test/*" { +path "kv/data/test/*" { capabilities = ["read"] } HCL @@ -138,12 +138,12 @@ HCL run curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \ "${VAULT_ADDR}/v1/sys/policies/acl/test-reader" [ "$status" -eq 0 ] - echo "$output" | jq -e '.data.policy' | grep -q "secret/data/test" + echo "$output" | jq -e '.data.policy' | grep -q "kv/data/test" } @test "hvault_policy_apply is idempotent" { local pfile="${BATS_TEST_TMPDIR}/idem-policy.hcl" - printf 'path "secret/*" { capabilities = ["list"] }\n' > "$pfile" + printf 'path "kv/*" { capabilities = ["list"] }\n' > "$pfile" run hvault_policy_apply "idem-policy" "$pfile" [ "$status" -eq 0 ]