fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912)

2026-04-16 20:51:01 +00:00 · 2026-04-16 20:51:01 +00:00 · aa1d7a8d00
commit aa1d7a8d00
parent 42cca6de3d
4 changed files with 23 additions and 27 deletions
--- a/tools/vault-apply-policies.sh
+++ b/tools/vault-apply-policies.sh
@ -94,15 +94,8 @@ if [ "$dry_run" = true ]; then
 fi

 # ── Live run: Vault connectivity check ───────────────────────────────────────
-# Default VAULT_ADDR if not set (fixes issue #2)
-VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
-export VAULT_ADDR
-
-# Resolve VAULT_TOKEN if not set (fixes issue #2)
-if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
-  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
-  export VAULT_TOKEN
-fi
+# Set default Vault environment (fixes issue #2)
+_hvault_default_env

 # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
 # and confirms the server is reachable with a valid token. Fail fast here so
--- a/tools/vault-apply-roles.sh
+++ b/tools/vault-apply-roles.sh
@ -219,15 +219,8 @@ if [ "$dry_run" = true ]; then
 fi

 # ── Live run: Vault connectivity check ───────────────────────────────────────
-# Default VAULT_ADDR if not set (fixes issue #2)
-VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
-export VAULT_ADDR
-
-# Resolve VAULT_TOKEN if not set (fixes issue #2)
-if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
-  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
-  export VAULT_TOKEN
-fi
+# Set default Vault environment (fixes issue #2)
+_hvault_default_env

 if ! hvault_token_lookup >/dev/null; then
  die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"