From aa1d7a8d00504a67effa6a6b721934fb832abbf3 Mon Sep 17 00:00:00 2001 From: dev-qwen2 Date: Thu, 16 Apr 2026 20:51:01 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20[nomad-step-2]=20S2-fix=20=E2=80=94=204?= =?UTF-8?q?=20bugs=20block=20Step=202=20verification:=20kv/=20mount=20miss?= =?UTF-8?q?ing,=20VAULT=5FADDR,=20--sops=20required,=20template=20fallback?= =?UTF-8?q?=20(#912)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/hvault.sh | 17 +++++++++++++++++ lib/init/nomad/vault-engines.sh | 11 ++--------- tools/vault-apply-policies.sh | 11 ++--------- tools/vault-apply-roles.sh | 11 ++--------- 4 files changed, 23 insertions(+), 27 deletions(-) diff --git a/lib/hvault.sh b/lib/hvault.sh index ec7fa7e..b82e4e3 100644 --- a/lib/hvault.sh +++ b/lib/hvault.sh @@ -38,6 +38,23 @@ _hvault_resolve_token() { return 1 } +# _hvault_default_env — set default VAULT_ADDR and resolve VAULT_TOKEN +# +# Sets VAULT_ADDR to http://127.0.0.1:8200 if not already set. +# Resolves VAULT_TOKEN from /etc/vault.d/root.token if not in env. +# Exports both variables. +# +# Usage: source hvault.sh; _hvault_default_env +_hvault_default_env() { + VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" + export VAULT_ADDR + + if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then + VAULT_TOKEN="$(cat /etc/vault.d/root.token)" + export VAULT_TOKEN + fi +} + # _hvault_check_prereqs — validate VAULT_ADDR and VAULT_TOKEN are set # Args: caller function name _hvault_check_prereqs() { diff --git a/lib/init/nomad/vault-engines.sh b/lib/init/nomad/vault-engines.sh index 161c470..fec0959 100644 --- a/lib/init/nomad/vault-engines.sh +++ b/lib/init/nomad/vault-engines.sh @@ -75,15 +75,8 @@ for bin in curl jq; do || die "required binary not found: ${bin}" done -# Default VAULT_ADDR if not set (fixes issue #2) -VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" -export VAULT_ADDR - -# Resolve VAULT_TOKEN if not set (fixes issue #2) -if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then - VAULT_TOKEN="$(cat /etc/vault.d/root.token)" - export VAULT_TOKEN -fi +# Set default Vault environment (fixes issue #2) +_hvault_default_env # Check Vault connectivity and unsealed status hvault_token_lookup >/dev/null \ diff --git a/tools/vault-apply-policies.sh b/tools/vault-apply-policies.sh index cb7d51e..b9f8a26 100755 --- a/tools/vault-apply-policies.sh +++ b/tools/vault-apply-policies.sh @@ -94,15 +94,8 @@ if [ "$dry_run" = true ]; then fi # ── Live run: Vault connectivity check ─────────────────────────────────────── -# Default VAULT_ADDR if not set (fixes issue #2) -VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" -export VAULT_ADDR - -# Resolve VAULT_TOKEN if not set (fixes issue #2) -if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then - VAULT_TOKEN="$(cat /etc/vault.d/root.token)" - export VAULT_TOKEN -fi +# Set default Vault environment (fixes issue #2) +_hvault_default_env # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token) # and confirms the server is reachable with a valid token. Fail fast here so diff --git a/tools/vault-apply-roles.sh b/tools/vault-apply-roles.sh index 8ff4a23..835334c 100755 --- a/tools/vault-apply-roles.sh +++ b/tools/vault-apply-roles.sh @@ -219,15 +219,8 @@ if [ "$dry_run" = true ]; then fi # ── Live run: Vault connectivity check ─────────────────────────────────────── -# Default VAULT_ADDR if not set (fixes issue #2) -VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" -export VAULT_ADDR - -# Resolve VAULT_TOKEN if not set (fixes issue #2) -if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then - VAULT_TOKEN="$(cat /etc/vault.d/root.token)" - export VAULT_TOKEN -fi +# Set default Vault environment (fixes issue #2) +_hvault_default_env if ! hvault_token_lookup >/dev/null; then die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"