disinto-admin/disinto
1
0
Fork 0
Code Issues 18 Pull requests 1 Projects Releases Packages Wiki Activity Actions

[nomad-step-2] S2.1 — vault/policies/*.hcl + tools/vault-apply-policies.sh #879

New issue
Closed
opened 2026-04-16 15:26:33 +00:00 by dev-bot · 0 comments
dev-bot commented 2026-04-16 15:26:33 +00:00
Collaborator
Copy link

Part of the Nomad+Vault migration. Step 2 — Vault policies + workload identity + secrets import.

Goal

Land the Vault policy HCL files and an idempotent apply script. This is the authorization layer that later steps (S2.4, Step 5 vault-runner, Step 6 chat auth) all depend on.

Scope

Create:

  • vault/policies/service-forgejo.hcl — read kv/disinto/shared/forgejo/* (admin password, OAuth config once that lands).
  • vault/policies/service-woodpecker.hcl — read kv/disinto/shared/woodpecker/* (agent secret, forge OAuth client).
  • vault/policies/bot-dev.hcl, bot-review.hcl, bot-gardener.hcl, bot-architect.hcl, bot-planner.hcl, bot-predictor.hcl, bot-supervisor.hcl, bot-vault.hcl, bot-dev-qwen.hcl — each reads own kv/disinto/bots/<name>/* + shared forge URL at kv/disinto/shared/forge/*.
  • vault/policies/runner-GITHUB_TOKEN.hcl, runner-CODEBERG_TOKEN.hcl, runner-CLAWHUB_TOKEN.hcl, runner-DEPLOY_KEY.hcl, runner-NPM_TOKEN.hcl, runner-DOCKER_HUB_TOKEN.hcl — each grants read on exactly one KV path. One policy per declarable secret; vault-runner Step 5 composes them per-dispatch.
  • vault/policies/dispatcher.hcl — read all kv/disinto/runner/* + read kv/disinto/shared/ops-repo/*.

Create tools/vault-apply-policies.sh:

  • Reads vault/policies/*.hcl, for each file calls vault policy write <basename> <file> via lib/hvault.sh::hvault_policy_apply (landed by P4).
  • Idempotent — re-running with unchanged files is a no-op reported as [vault-apply] policy X unchanged.
  • --dry-run flag: prints each policy name + SHA it would write, exits 0.
  • Diffs existing policy content before writing so unchanged policies report unchanged rather than updated.

Acceptance criteria

  • All policy HCL files parse clean (checked by Step 2's CI extension, landed later in S2.6).
  • tools/vault-apply-policies.sh against a Step-0-initialized Vault:
    • First run: all policies created, each reported as [vault-apply] policy X created.
    • Second run: all policies unchanged, each reported [vault-apply] policy X unchanged.
    • With --dry-run: prints planned work, changes nothing.
  • shellcheck clean.
  • Documented in new vault/policies/AGENTS.md (short): naming convention, what each policy grants, how to add a new one.

Non-goals

  • Not enabling Vault JWT auth (S2.3).
  • Not writing any secrets to KV (S2.2).
  • Not attaching policies to Nomad jobs (S2.4).

Labels / meta

  • [nomad-step-2] S2.1 — no dependencies.
Part of the Nomad+Vault migration. **Step 2 — Vault policies + workload identity + secrets import.** ## Goal Land the Vault policy HCL files and an idempotent apply script. This is the authorization layer that later steps (S2.4, Step 5 vault-runner, Step 6 chat auth) all depend on. ## Scope Create: - `vault/policies/service-forgejo.hcl` — read `kv/disinto/shared/forgejo/*` (admin password, OAuth config once that lands). - `vault/policies/service-woodpecker.hcl` — read `kv/disinto/shared/woodpecker/*` (agent secret, forge OAuth client). - `vault/policies/bot-dev.hcl`, `bot-review.hcl`, `bot-gardener.hcl`, `bot-architect.hcl`, `bot-planner.hcl`, `bot-predictor.hcl`, `bot-supervisor.hcl`, `bot-vault.hcl`, `bot-dev-qwen.hcl` — each reads own `kv/disinto/bots/<name>/*` + shared forge URL at `kv/disinto/shared/forge/*`. - `vault/policies/runner-GITHUB_TOKEN.hcl`, `runner-CODEBERG_TOKEN.hcl`, `runner-CLAWHUB_TOKEN.hcl`, `runner-DEPLOY_KEY.hcl`, `runner-NPM_TOKEN.hcl`, `runner-DOCKER_HUB_TOKEN.hcl` — each grants read on exactly one KV path. One policy per declarable secret; vault-runner Step 5 composes them per-dispatch. - `vault/policies/dispatcher.hcl` — read all `kv/disinto/runner/*` + read `kv/disinto/shared/ops-repo/*`. Create `tools/vault-apply-policies.sh`: - Reads `vault/policies/*.hcl`, for each file calls `vault policy write <basename> <file>` via `lib/hvault.sh::hvault_policy_apply` (landed by P4). - Idempotent — re-running with unchanged files is a no-op reported as `[vault-apply] policy X unchanged`. - `--dry-run` flag: prints each policy name + SHA it would write, exits 0. - Diffs existing policy content before writing so unchanged policies report `unchanged` rather than `updated`. ## Acceptance criteria - All policy HCL files parse clean (checked by Step 2's CI extension, landed later in S2.6). - `tools/vault-apply-policies.sh` against a Step-0-initialized Vault: - First run: all policies created, each reported as `[vault-apply] policy X created`. - Second run: all policies unchanged, each reported `[vault-apply] policy X unchanged`. - With `--dry-run`: prints planned work, changes nothing. - `shellcheck` clean. - Documented in new `vault/policies/AGENTS.md` (short): naming convention, what each policy grants, how to add a new one. ## Non-goals - Not enabling Vault JWT auth (S2.3). - Not writing any secrets to KV (S2.2). - Not attaching policies to Nomad jobs (S2.4). ## Labels / meta - `[nomad-step-2] S2.1` — no dependencies.
dev-bot added the
backlog
 label 2026-04-16 15:26:33 +00:00
dev-qwen2 self-assigned this 2026-04-16 15:30:11 +00:00
dev-qwen2 added
in-progress
 and removed
backlog
 labels 2026-04-16 15:30:12 +00:00
dev-qwen2 removed their assignment 2026-04-16 15:30:17 +00:00
dev-qwen2 added
backlog
 and removed
in-progress
 labels 2026-04-16 15:30:17 +00:00
dev-qwen2 self-assigned this 2026-04-16 15:31:22 +00:00
dev-qwen2 added
in-progress
 and removed
backlog
 labels 2026-04-16 15:31:23 +00:00
dev-qwen2 removed their assignment 2026-04-16 15:31:27 +00:00
dev-qwen2 added
backlog
 and removed
in-progress
 labels 2026-04-16 15:31:28 +00:00
dev-bot self-assigned this 2026-04-16 15:31:32 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-04-16 15:31:32 +00:00
dev-bot removed their assignment 2026-04-16 15:56:02 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-919
fix/issue-921
fix/issue-912-1
fix/issue-912
fix/issue-850-1
fix/issue-883-1
fix/issue-883
fix/issue-884
fix/issue-850
fix/issue-842
chore/gardener-20260415-0806
fix/issue-764
chore/gardener-20260415-0408
fix/issue-742
fix/issue-746
chore/gardener-20260414-2024
fix/issue-712
fix/issue-707
fix/issue-569
fix/issue-558
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.2.0
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#879
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?