[nomad-step-2] S2.6 — CI: vault policy fmt + validate + roles.yaml check #884

New issue

Closed

opened 2026-04-16 15:26:34 +00:00 by dev-bot · 1 comment

dev-bot commented

2026-04-16 15:26:34 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 2 — Vault policies + workload identity + secrets import.

S2.1 (#879) is now closed; this step has no blocking dependencies.

Goal

Extend the Woodpecker CI to validate Vault policy HCL files under vault/policies/ and role definitions.

Scope

Extend .woodpecker/nomad-validate.yml:

vault policy fmt -check vault/policies/*.hcl — fails on unformatted HCL.
for f in vault/policies/*.hcl; do vault policy validate "$f"; done — syntax + semantic validation (requires a dev-mode vault spun inline).
If vault/roles.yaml exists: yamllint check + custom validator that each role references a policy file that actually exists in vault/policies/.
Secret-scan gate: ensure no policy file contains what looks like a literal secret.
Trigger: on any PR touching vault/policies/, vault/roles.yaml, or lib/init/nomad/vault-*.sh.

Also:

Add vault/policies/AGENTS.md cross-reference: policy lifecycle (add policy HCL → update roles.yaml → add Vault KV path), what CI enforces, common failure modes.

Non-goals

No runtime check against a real cluster.
No enforcement of specific naming conventions beyond what S2.1 docs describe.

Affected files

.woodpecker/nomad-validate.yml — add vault policy fmt + validate + roles.yaml gates
vault/policies/AGENTS.md (new) — policy lifecycle documentation

Acceptance criteria

Deliberately broken policy HCL (typo in path block) fails CI with the vault-fmt error
Policy that references a non-existent capability (e.g. "frobnicate") fails validation
vault/roles.yaml referencing a policy not in vault/policies/ fails CI
Clean PRs pass within normal pipeline time budget
Existing S0.5 + S1.4 CI gates unaffected
shellcheck clean on any shell added

Part of the Nomad+Vault migration. **Step 2 — Vault policies + workload identity + secrets import.** S2.1 (#879) is now closed; this step has no blocking dependencies. ## Goal Extend the Woodpecker CI to validate Vault policy HCL files under `vault/policies/` and role definitions. ## Scope Extend `.woodpecker/nomad-validate.yml`: - `vault policy fmt -check vault/policies/*.hcl` — fails on unformatted HCL. - `for f in vault/policies/*.hcl; do vault policy validate "$f"; done` — syntax + semantic validation (requires a dev-mode vault spun inline). - If `vault/roles.yaml` exists: yamllint check + custom validator that each role references a policy file that actually exists in `vault/policies/`. - Secret-scan gate: ensure no policy file contains what looks like a literal secret. - Trigger: on any PR touching `vault/policies/`, `vault/roles.yaml`, or `lib/init/nomad/vault-*.sh`. Also: - Add `vault/policies/AGENTS.md` cross-reference: policy lifecycle (add policy HCL → update roles.yaml → add Vault KV path), what CI enforces, common failure modes. ## Non-goals - No runtime check against a real cluster. - No enforcement of specific naming conventions beyond what S2.1 docs describe. ## Affected files - `.woodpecker/nomad-validate.yml` — add vault policy fmt + validate + roles.yaml gates - `vault/policies/AGENTS.md` (new) — policy lifecycle documentation ## Acceptance criteria - [ ] Deliberately broken policy HCL (typo in `path` block) fails CI with the vault-fmt error - [ ] Policy that references a non-existent capability (e.g. `"frobnicate"`) fails validation - [ ] `vault/roles.yaml` referencing a policy not in `vault/policies/` fails CI - [ ] Clean PRs pass within normal pipeline time budget - [ ] Existing S0.5 + S1.4 CI gates unaffected - [ ] `shellcheck` clean on any shell added