From 677f2a97e7c1e76611019ce191fc1675d207e518 Mon Sep 17 00:00:00 2001 From: Agent Date: Thu, 16 Apr 2026 21:16:40 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20[nomad-step-2]=20S2-fix-B=20=E2=80=94=20?= =?UTF-8?q?extract=20=5Fhvault=5Fdefault=5Fenv=20helper=20to=20lib/hvault.?= =?UTF-8?q?sh=20(prereq=20for=20other=20S2=20fixes)=20(#919)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/hvault.sh | 12 ++++++++++++ lib/init/nomad/vault-nomad-auth.sh | 6 ++---- tools/vault-apply-policies.sh | 4 +--- tools/vault-apply-roles.sh | 4 +--- tools/vault-import.sh | 1 + 5 files changed, 17 insertions(+), 10 deletions(-) diff --git a/lib/hvault.sh b/lib/hvault.sh index ec7fa7e..27d4449 100644 --- a/lib/hvault.sh +++ b/lib/hvault.sh @@ -16,6 +16,18 @@ set -euo pipefail # ── Internal helpers ───────────────────────────────────────────────────────── +# _hvault_default_env — ensure VAULT_ADDR and VAULT_TOKEN are set for local-cluster operation +# Safe to call multiple times; no-op if both are already exported. +# Reads VAULT_TOKEN from /etc/vault.d/root.token if the file is readable. +_hvault_default_env() { + : "${VAULT_ADDR:=http://127.0.0.1:8200}" + export VAULT_ADDR + if [ -z "${VAULT_TOKEN:-}" ] && [ -r /etc/vault.d/root.token ]; then + VAULT_TOKEN="$(cat /etc/vault.d/root.token)" + export VAULT_TOKEN + fi +} + # _hvault_err — emit structured JSON error to stderr # Args: func_name, message, [detail] _hvault_err() { diff --git a/lib/init/nomad/vault-nomad-auth.sh b/lib/init/nomad/vault-nomad-auth.sh index 8a75e21..2c21e6a 100755 --- a/lib/init/nomad/vault-nomad-auth.sh +++ b/lib/init/nomad/vault-nomad-auth.sh @@ -49,11 +49,9 @@ APPLY_ROLES_SH="${REPO_ROOT}/tools/vault-apply-roles.sh" SERVER_HCL_SRC="${REPO_ROOT}/nomad/server.hcl" SERVER_HCL_DST="/etc/nomad.d/server.hcl" -VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" -export VAULT_ADDR - -# shellcheck source=../../hvault.sh +# shellcheck source=../../lib/hvault.sh source "${REPO_ROOT}/lib/hvault.sh" +_hvault_default_env log() { printf '[vault-auth] %s\n' "$*"; } die() { printf '[vault-auth] ERROR: %s\n' "$*" >&2; exit 1; } diff --git a/tools/vault-apply-policies.sh b/tools/vault-apply-policies.sh index 85fc233..4aad093 100755 --- a/tools/vault-apply-policies.sh +++ b/tools/vault-apply-policies.sh @@ -40,6 +40,7 @@ POLICIES_DIR="${REPO_ROOT}/vault/policies" # shellcheck source=../lib/hvault.sh source "${REPO_ROOT}/lib/hvault.sh" +_hvault_default_env log() { printf '[vault-apply] %s\n' "$*"; } die() { printf '[vault-apply] ERROR: %s\n' "$*" >&2; exit 1; } @@ -94,9 +95,6 @@ if [ "$dry_run" = true ]; then fi # ── Live run: Vault connectivity check ─────────────────────────────────────── -[ -n "${VAULT_ADDR:-}" ] \ - || die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200" - # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token) # and confirms the server is reachable with a valid token. Fail fast here so # the per-file loop below doesn't emit N identical "HTTP 403" errors. diff --git a/tools/vault-apply-roles.sh b/tools/vault-apply-roles.sh index 2f02eb6..ac9ee4a 100755 --- a/tools/vault-apply-roles.sh +++ b/tools/vault-apply-roles.sh @@ -49,6 +49,7 @@ ROLES_FILE="${REPO_ROOT}/vault/roles.yaml" # shellcheck source=../lib/hvault.sh source "${REPO_ROOT}/lib/hvault.sh" +_hvault_default_env # Constants shared across every role — the issue's AC names these as the # invariant token shape for Nomad workload identity. Bumping any of these @@ -219,9 +220,6 @@ if [ "$dry_run" = true ]; then fi # ── Live run: Vault connectivity check ─────────────────────────────────────── -if [ -z "${VAULT_ADDR:-}" ]; then - die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200" -fi if ! hvault_token_lookup >/dev/null; then die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN" fi diff --git a/tools/vault-import.sh b/tools/vault-import.sh index e678d36..5615447 100755 --- a/tools/vault-import.sh +++ b/tools/vault-import.sh @@ -302,6 +302,7 @@ EOF # Source the Vault helpers source "$(dirname "$0")/../lib/hvault.sh" + _hvault_default_env # Load .env file _log "Loading environment from: $env_file"