disinto-admin/disinto
1
0
Fork 0
Code Issues 21 Pull requests Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912)
Some checks failed
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline failed
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source
This commit is contained in:
dev-qwen2 2026-04-16 20:19:03 +00:00
parent 3e29a9a61d
commit 9c6c7147e6
5 changed files with 195 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

36
bin/disinto
View file

@ -670,6 +670,7 @@ _disinto_init_nomad() {
local import_env="${4:-}" import_sops="${5:-}" age_key="${6:-}"
local cluster_up="${FACTORY_ROOT}/lib/init/nomad/cluster-up.sh"
local deploy_sh="${FACTORY_ROOT}/lib/init/nomad/deploy.sh"
local vault_engines_sh="${FACTORY_ROOT}/lib/init/nomad/vault-engines.sh"
local vault_policies_sh="${FACTORY_ROOT}/tools/vault-apply-policies.sh"
local vault_auth_sh="${FACTORY_ROOT}/lib/init/nomad/vault-nomad-auth.sh"
local vault_import_sh="${FACTORY_ROOT}/tools/vault-import.sh"
@ -690,15 +691,20 @@ _disinto_init_nomad() {
# --empty combined with --with or any --import-* flag, so reaching
# this branch with those set is a bug in the caller.
#
# On the default (non-empty) path, vault-apply-policies.sh and
# vault-nomad-auth.sh are invoked unconditionally — they are idempotent
# and cheap to re-run, and subsequent --with deployments depend on
# them. vault-import.sh is invoked only when an --import-* flag is set.
# On the default (non-empty) path, vault-engines.sh, vault-apply-policies.sh
# and vault-nomad-auth.sh are invoked unconditionally — they are idempotent
# and cheap to re-run, and subsequent --with deployments depend on them.
# vault-engines.sh enables the kv/ secret engine required by all policies
# and roles. vault-import.sh is invoked only when an --import-* flag is set.
local import_any=false
if [ -n "$import_env" ] || [ -n "$import_sops" ]; then
import_any=true
fi
if [ "$empty" != "true" ]; then
if [ ! -x "$vault_engines_sh" ]; then
echo "Error: ${vault_engines_sh} not found or not executable" >&2
exit 1
fi
if [ ! -x "$vault_policies_sh" ]; then
echo "Error: ${vault_policies_sh} not found or not executable" >&2
exit 1
@ -737,10 +743,14 @@ _disinto_init_nomad() {
exit 0
fi
# Vault policies + auth are invoked on every nomad real-run path
# regardless of --import-* flags (they're idempotent; S2.1 + S2.3).
# Vault engines + policies + auth are invoked on every nomad real-run path
# regardless of --import-* flags. Vault engines (kv/ mount) is S2.1,
# policies are S2.1, auth is S2.3 — all idempotent and cheap to re-run.
# Mirror that ordering in the dry-run plan so the operator sees the
# full sequence Step 2 will execute.
echo "── Vault engines dry-run ──────────────────────────────"
echo "[engines] [dry-run] ${vault_engines_sh}"
echo ""
echo "── Vault policies dry-run ─────────────────────────────"
echo "[policies] [dry-run] ${vault_policies_sh} --dry-run"
echo ""
@ -814,6 +824,20 @@ _disinto_init_nomad() {
exit 0
fi
# Enable Vault secret engines (S2.1) — kv/ mount required by all policies.
echo ""
echo "── Enabling Vault secret engines ──────────────────────"
local -a engines_cmd=("$vault_engines_sh")
if [ "$(id -u)" -eq 0 ]; then
"${engines_cmd[@]}" || exit $?
else
if ! command -v sudo >/dev/null 2>&1; then
echo "Error: vault-engines.sh must run as root and sudo is not installed" >&2
exit 1
fi
sudo -n -- "${engines_cmd[@]}" || exit $?
fi
# Apply Vault policies (S2.1) — idempotent, safe to re-run.
echo ""
echo "── Applying Vault policies ────────────────────────────"