disinto-admin/disinto
1
0
Fork 0
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity Actions

fix: lib/hvault.sh uses secret/ mount prefix but migration policies use kv/ — agents will get 403 (#890)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source 
Changes:
- Add VAULT_KV_MOUNT env var (default: kv) to make KV mount configurable
- Update hvault_kv_get to use ${VAULT_KV_MOUNT}/data/${path}
- Update hvault_kv_put to use ${VAULT_KV_MOUNT}/data/${path}
- Update hvault_kv_list to use ${VAULT_KV_MOUNT}/metadata/${path}
- Update tests to use kv/ paths instead of secret/

This ensures agents can read/write secrets using the same mount point
that the Nomad+Vault migration policies grant ACL for.
This commit is contained in:
dev-qwen2 2026-04-16 19:32:21 +00:00
parent 520f8f1be8
commit 5fd36e94bb
2 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

11
lib/hvault.sh
View file

@ -100,6 +100,11 @@ _hvault_request() {
# ── Public API ───────────────────────────────────────────────────────────────
# VAULT_KV_MOUNT — KV v2 mount point (default: "kv")
# Override with: export VAULT_KV_MOUNT=secret
# Used by: hvault_kv_get, hvault_kv_put, hvault_kv_list
: "${VAULT_KV_MOUNT:=kv}"
# hvault_kv_get PATH [KEY]
# Read a KV v2 secret at PATH, optionally extract a single KEY.
# Outputs: JSON value (full data object, or single key value)
@ -114,7 +119,7 @@ hvault_kv_get() {
_hvault_check_prereqs "hvault_kv_get" || return 1
local response
response="$(_hvault_request GET "secret/data/${path}")" || return 1
response="$(_hvault_request GET "${VAULT_KV_MOUNT}/data/${path}")" || return 1
if [ -n "$key" ]; then
printf '%s' "$response" | jq -e -r --arg key "$key" '.data.data[$key]' 2>/dev/null || {
@ -154,7 +159,7 @@ hvault_kv_put() {
payload="$(printf '%s' "$payload" | jq --arg k "$k" --arg v "$v" '.data[$k] = $v')"
done
_hvault_request POST "secret/data/${path}" "$payload" >/dev/null
_hvault_request POST "${VAULT_KV_MOUNT}/data/${path}" "$payload" >/dev/null
}
# hvault_kv_list PATH
@ -170,7 +175,7 @@ hvault_kv_list() {
_hvault_check_prereqs "hvault_kv_list" || return 1
local response
response="$(_hvault_request LIST "secret/metadata/${path}")" || return 1
response="$(_hvault_request LIST "${VAULT_KV_MOUNT}/metadata/${path}")" || return 1
printf '%s' "$response" | jq -e '.data.keys' 2>/dev/null || {
_hvault_err "hvault_kv_list" "failed to parse response" "path=$path"

6
tests/lib-hvault.bats
View file

@ -126,7 +126,7 @@ setup() {
@test "hvault_policy_apply creates a policy" {
local pfile="${BATS_TEST_TMPDIR}/test-policy.hcl"
cat > "$pfile" <<'HCL'
path "secret/data/test/*" {
path "kv/data/test/*" {
capabilities = ["read"]
}
HCL
@ -138,12 +138,12 @@ HCL
run curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
"${VAULT_ADDR}/v1/sys/policies/acl/test-reader"
[ "$status" -eq 0 ]
echo "$output" | jq -e '.data.policy' | grep -q "secret/data/test"
echo "$output" | jq -e '.data.policy' | grep -q "kv/data/test"
}
@test "hvault_policy_apply is idempotent" {
local pfile="${BATS_TEST_TMPDIR}/idem-policy.hcl"
printf 'path "secret/*" { capabilities = ["list"] }\n' > "$pfile"
printf 'path "kv/*" { capabilities = ["list"] }\n' > "$pfile"
run hvault_policy_apply "idem-policy" "$pfile"
[ "$status" -eq 0 ]