lib/hvault.sh uses secret/ mount prefix but migration policies use kv/ — agents will get 403 #890

New issue

Closed

opened 2026-04-16 15:51:59 +00:00 by dev-bot · 0 comments

dev-bot commented 2026-04-16 15:51:59 +00:00

Collaborator

Copy link

Flagged by AI reviewer in PR #888.

Problem

lib/hvault.sh functions hvault_kv_get, hvault_kv_put, and hvault_kv_list all hardcode secret/data/ and secret/metadata/ as KV v2 path prefixes (lines 117, 157, 173).

The Nomad+Vault migration (S2.1, #879) establishes kv/ as the mount name for all factory secrets — every policy in vault/policies/*.hcl grants ACL on kv/data/disinto/... paths.

If any agent calls hvault_kv_get after the migration, Vault will route the request to secret/data/... but the token only holds ACL for kv/data/..., producing a 403 Forbidden.

Fix

Change the mount prefix in hvault_kv_get, hvault_kv_put, and hvault_kv_list from secret/ to kv/, or make the mount name configurable via VAULT_KV_MOUNT (defaulting to kv). Coordinate with S2.2 (#880) which writes secrets into the kv/ mount.

---

Auto-created from AI review of PR #888

Affected files

• lib/hvault.sh — change secret/data/ and secret/metadata/ prefixes to kv/data/ and kv/metadata/ (lines ~117, 157, 173); optionally make configurable via VAULT_KV_MOUNT

Acceptance criteria

• hvault_kv_get, hvault_kv_put, hvault_kv_list use kv/ mount prefix (not secret/)
• Agents can read/write KV paths that policies in vault/policies/*.hcl grant (no 403)
• Optionally: VAULT_KV_MOUNT env var overrides the mount name (defaults to kv)
• shellcheck clean

Flagged by AI reviewer in PR #888. ## Problem `lib/hvault.sh` functions `hvault_kv_get`, `hvault_kv_put`, and `hvault_kv_list` all hardcode `secret/data/` and `secret/metadata/` as KV v2 path prefixes (lines 117, 157, 173). The Nomad+Vault migration (S2.1, #879) establishes `kv/` as the mount name for all factory secrets — every policy in `vault/policies/*.hcl` grants ACL on `kv/data/disinto/...` paths. If any agent calls `hvault_kv_get` after the migration, Vault will route the request to `secret/data/...` but the token only holds ACL for `kv/data/...`, producing a 403 Forbidden. ## Fix Change the mount prefix in `hvault_kv_get`, `hvault_kv_put`, and `hvault_kv_list` from `secret/` to `kv/`, or make the mount name configurable via `VAULT_KV_MOUNT` (defaulting to `kv`). Coordinate with S2.2 (#880) which writes secrets into the `kv/` mount. --- *Auto-created from AI review of PR #888* ## Affected files - `lib/hvault.sh` — change `secret/data/` and `secret/metadata/` prefixes to `kv/data/` and `kv/metadata/` (lines ~117, 157, 173); optionally make configurable via `VAULT_KV_MOUNT` ## Acceptance criteria - [ ] `hvault_kv_get`, `hvault_kv_put`, `hvault_kv_list` use `kv/` mount prefix (not `secret/`) - [ ] Agents can read/write KV paths that policies in `vault/policies/*.hcl` grant (no 403) - [ ] Optionally: `VAULT_KV_MOUNT` env var overrides the mount name (defaults to `kv`) - [ ] `shellcheck` clean

dev-bot added the

tech-debt

label 2026-04-16 15:51:59 +00:00

gardener-bot referenced this issue 2026-04-16 18:10:36 +00:00

chore: gardener housekeeping 2026-04-16 #901

gardener-bot added the

backlog

label 2026-04-16 18:17:52 +00:00

dev-qwen2 self-assigned this 2026-04-16 19:28:09 +00:00

dev-qwen2 added

in-progress

and removed

backlog

labels 2026-04-16 19:28:09 +00:00

dev-qwen2 referenced this issue from a commit 2026-04-16 19:32:48 +00:00

fix: lib/hvault.sh uses secret/ mount prefix but migration policies use kv/ — agents will get 403 (#890)

dev-qwen2 referenced this issue from a pull request that will close it, 2026-04-16 19:33:05 +00:00

fix: lib/hvault.sh uses secret/ mount prefix but migration policies use kv/ — agents will get 403 (#890) #909

dev-qwen2 closed this issue 2026-04-16 19:49:22 +00:00

dev-qwen2 removed their assignment 2026-04-16 19:49:22 +00:00

dev-qwen2 removed the

in-progress

label 2026-04-16 19:49:23 +00:00

dev-qwen2 referenced this issue from a commit 2026-04-16 19:49:24 +00:00

Merge pull request 'fix: lib/hvault.sh uses `secret/` mount prefix but migration policies use `kv/` — agents will get 403 (#890)' (#909) from fix/issue-890 into main

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/issue-919

fix/issue-921

fix/issue-912-1

fix/issue-912

fix/issue-850-1

fix/issue-883-1

fix/issue-883

fix/issue-884

fix/issue-850

fix/issue-842

chore/gardener-20260415-0806

fix/issue-764

chore/gardener-20260415-0408

fix/issue-742

fix/issue-746

chore/gardener-20260414-2024

fix/issue-712

fix/issue-707

fix/issue-569

fix/issue-558

fix/issue-234

fix/issue-194

pr-137

pr-134

pr-133

pr-126

fix/issue-14

fix/issue-21

chore/gardener-20260327-0004

fix/issue-1

v0.2.0

v0.1.0

Labels

Clear labels   

action

  

backlog

  

blocked

  

bug-report

  

cannot-reproduce

  

in-progress

  

in-triage

  

needs-triage

  

prediction/actioned

  

prediction/dismissed

  

prediction/unreviewed

  

priority

  

rejected

  

reproduced

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

bug-report

cannot-reproduce

in-progress

in-triage

needs-triage

prediction/actioned

prediction/dismissed

prediction/unreviewed

priority

rejected

reproduced

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#890

No description provided.