disinto-admin/disinto
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912)
Some checks failed
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline failed
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline failed
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source
This commit is contained in:
dev-qwen2 2026-04-16 20:51:01 +00:00
parent 42cca6de3d
commit aa1d7a8d00
4 changed files with 23 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

17
lib/hvault.sh
View file

@ -38,6 +38,23 @@ _hvault_resolve_token() {
return 1 return 1
} }
# _hvault_default_env — set default VAULT_ADDR and resolve VAULT_TOKEN
#
# Sets VAULT_ADDR to http://127.0.0.1:8200 if not already set.
# Resolves VAULT_TOKEN from /etc/vault.d/root.token if not in env.
# Exports both variables.
#
# Usage: source hvault.sh; _hvault_default_env
_hvault_default_env() {
VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
export VAULT_ADDR
if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
export VAULT_TOKEN
fi
}
# _hvault_check_prereqs — validate VAULT_ADDR and VAULT_TOKEN are set # _hvault_check_prereqs — validate VAULT_ADDR and VAULT_TOKEN are set
# Args: caller function name # Args: caller function name
_hvault_check_prereqs() { _hvault_check_prereqs() {

11
lib/init/nomad/vault-engines.sh
View file

@ -75,15 +75,8 @@ for bin in curl jq; do
|| die "required binary not found: ${bin}" || die "required binary not found: ${bin}"
done done
# Default VAULT_ADDR if not set (fixes issue #2) # Set default Vault environment (fixes issue #2)
VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" _hvault_default_env
export VAULT_ADDR
# Resolve VAULT_TOKEN if not set (fixes issue #2)
if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
export VAULT_TOKEN
fi
# Check Vault connectivity and unsealed status # Check Vault connectivity and unsealed status
hvault_token_lookup >/dev/null \ hvault_token_lookup >/dev/null \

11
tools/vault-apply-policies.sh
View file

@ -94,15 +94,8 @@ if [ "$dry_run" = true ]; then
fi fi
# ── Live run: Vault connectivity check ─────────────────────────────────────── # ── Live run: Vault connectivity check ───────────────────────────────────────
# Default VAULT_ADDR if not set (fixes issue #2) # Set default Vault environment (fixes issue #2)
VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" _hvault_default_env
export VAULT_ADDR
# Resolve VAULT_TOKEN if not set (fixes issue #2)
if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
export VAULT_TOKEN
fi
# hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token) # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
# and confirms the server is reachable with a valid token. Fail fast here so # and confirms the server is reachable with a valid token. Fail fast here so

11
tools/vault-apply-roles.sh
View file

@ -219,15 +219,8 @@ if [ "$dry_run" = true ]; then
fi fi
# ── Live run: Vault connectivity check ─────────────────────────────────────── # ── Live run: Vault connectivity check ───────────────────────────────────────
# Default VAULT_ADDR if not set (fixes issue #2) # Set default Vault environment (fixes issue #2)
VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}" _hvault_default_env
export VAULT_ADDR
# Resolve VAULT_TOKEN if not set (fixes issue #2)
if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
export VAULT_TOKEN
fi
if ! hvault_token_lookup >/dev/null; then if ! hvault_token_lookup >/dev/null; then
die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN" die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"