fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912)

2026-04-16 20:46:11 +00:00 · 2026-04-16 20:46:11 +00:00 · 42cca6de3d
commit 42cca6de3d
parent 3e29a9a61d
6 changed files with 211 additions and 43 deletions
--- a/tools/vault-apply-policies.sh
+++ b/tools/vault-apply-policies.sh
@ -94,8 +94,15 @@ if [ "$dry_run" = true ]; then
 fi

 # ── Live run: Vault connectivity check ───────────────────────────────────────
-[ -n "${VAULT_ADDR:-}" ] \
-  || die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
+# Default VAULT_ADDR if not set (fixes issue #2)
+VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
+export VAULT_ADDR
+
+# Resolve VAULT_TOKEN if not set (fixes issue #2)
+if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
+  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
+  export VAULT_TOKEN
+fi

 # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
 # and confirms the server is reachable with a valid token. Fail fast here so
--- a/tools/vault-apply-roles.sh
+++ b/tools/vault-apply-roles.sh
@ -219,9 +219,16 @@ if [ "$dry_run" = true ]; then
 fi

 # ── Live run: Vault connectivity check ───────────────────────────────────────
-if [ -z "${VAULT_ADDR:-}" ]; then
-  die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
+# Default VAULT_ADDR if not set (fixes issue #2)
+VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
+export VAULT_ADDR
+
+# Resolve VAULT_TOKEN if not set (fixes issue #2)
+if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
+  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
+  export VAULT_TOKEN
 fi
+
 if ! hvault_token_lookup >/dev/null; then
  die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"
 fi
--- a/tools/vault-import.sh
+++ b/tools/vault-import.sh
@ -236,14 +236,14 @@ vault-import.sh — Import .env and sops-decrypted secrets into Vault KV
 Usage:
  vault-import.sh \
    --env /path/to/.env \
-    --sops /path/to/.env.vault.enc \
-    --age-key /path/to/age/keys.txt \
+    [--sops /path/to/.env.vault.enc] \
+    [--age-key /path/to/age/keys.txt] \
    [--dry-run]

 Options:
  --env       Path to .env file (required)
-  --sops      Path to sops-encrypted .env.vault.enc file (required)
-  --age-key   Path to age keys file (required)
+  --sops      Path to sops-encrypted .env.vault.enc file (optional)
+  --age-key   Path to age keys file (required if --sops is provided)
  --dry-run   Print import plan without writing to Vault (optional)
  --help      Show this help message

@ -276,26 +276,28 @@ EOF
  if [ -z "$env_file" ]; then
    _die "Missing required argument: --env"
  fi
-  if [ -z "$sops_file" ]; then
-    _die "Missing required argument: --sops"
-  fi
-  if [ -z "$age_key_file" ]; then
-    _die "Missing required argument: --age-key"
+  # --sops and --age-key are optional:
+  #   - If --sops is provided, --age-key is required
+  #   - If --sops is not provided, --age-key is not needed
+  if [ -n "$sops_file" ] && [ -z "$age_key_file" ]; then
+    _die "Missing required argument: --age-key (required when --sops is provided)"
  fi

  # Validate files exist
  if [ ! -f "$env_file" ]; then
    _die "Environment file not found: $env_file"
  fi
-  if [ ! -f "$sops_file" ]; then
+  if [ -n "$sops_file" ] && [ ! -f "$sops_file" ]; then
    _die "Sops file not found: $sops_file"
  fi
-  if [ ! -f "$age_key_file" ]; then
+  if [ -n "$age_key_file" ] && [ ! -f "$age_key_file" ]; then
    _die "Age key file not found: $age_key_file"
  fi

-  # Security check: age key permissions
-  _validate_age_key_perms "$age_key_file"
+  # Security check: age key permissions (only if age key is provided)
+  if [ -n "$age_key_file" ]; then
+    _validate_age_key_perms "$age_key_file"
+  fi

  # Security check: VAULT_ADDR must be localhost
  _check_vault_addr
@ -307,12 +309,16 @@ EOF
  _log "Loading environment from: $env_file"
  _load_env_file "$env_file"

-  # Decrypt sops file
-  _log "Decrypting sops file: $sops_file"
-  local sops_env
-  sops_env="$(_decrypt_sops "$sops_file" "$age_key_file")"
-  # shellcheck disable=SC2086
-  eval "$sops_env"
+  # Decrypt sops file if --sops was provided
+  local sops_env=""
+  if [ -n "$sops_file" ]; then
+    _log "Decrypting sops file: $sops_file"
+    sops_env="$(_decrypt_sops "$sops_file" "$age_key_file")"
+    # shellcheck disable=SC2086
+    eval "$sops_env"
+  else
+    _log "No --sops provided — skipping sops decryption"
+  fi

  # Collect all import operations
  declare -a operations=()
@ -397,8 +403,12 @@ EOF
  if $dry_run; then
    _log "=== DRY-RUN: Import plan ==="
    _log "Environment file: $env_file"
-    _log "Sops file: $sops_file"
-    _log "Age key: $age_key_file"
+    if [ -n "$sops_file" ]; then
+      _log "Sops file: $sops_file"
+      _log "Age key: $age_key_file"
+    else
+      _log "Sops file: (not provided)"
+    fi
    _log ""
    _log "Planned operations:"
    for op in "${operations[@]}"; do
@ -413,8 +423,12 @@ EOF

  _log "=== Starting Vault import ==="
  _log "Environment file: $env_file"
-  _log "Sops file: $sops_file"
-  _log "Age key: $age_key_file"
+  if [ -n "$sops_file" ]; then
+    _log "Sops file: $sops_file"
+    _log "Age key: $age_key_file"
+  else
+    _log "Sops file: (not provided — skipping sops-based imports)"
+  fi
  _log ""

  local created=0