vault/policies/service-forgejo.hcl: path glob misses exact secret path #900

New issue

Closed

opened 2026-04-16 17:48:43 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 17:48:43 +00:00

Collaborator

Flagged by AI reviewer in PR #897.

Problem

The policy at vault/policies/service-forgejo.hcl grants:

path "kv/data/disinto/shared/forgejo/*" {
  capabilities = ["read"]
}

But the consul-template stanza in nomad/jobs/forgejo.hcl reads:

{{- with secret "kv/data/disinto/shared/forgejo" -}}

Vault glob /* requires at least one path segment after forgejo/ (e.g. forgejo/subkey). It does not match the bare path kv/data/disinto/shared/forgejo that the template actually calls. Vault ACL longest-prefix matching: forgejo/* is never hit for a request to forgejo.

Runtime consequence: consul-template with block receives a 403 permission denied → evaluates to empty (false) → else branch renders seed-me placeholder values → Forgejo starts with obviously-wrong secrets despite vault-seed-forgejo.sh having run successfully.

Fix

Replace the glob with an exact path in vault/policies/service-forgejo.hcl:

path "kv/data/disinto/shared/forgejo" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/shared/forgejo" {
  capabilities = ["list", "read"]
}

(The /* glob is only useful if future subkeys are written under forgejo/; the current design stores both secrets in a single KV document at the forgejo path.)

This is a pre-existing defect in vault/policies/service-forgejo.hcl; that file was not changed by PR #897.

Auto-created from AI review

Affected files

vault/policies/service-forgejo.hcl — replace glob path with exact path + metadata path

Acceptance criteria

vault/policies/service-forgejo.hcl grants exact path kv/data/disinto/shared/forgejo (not forgejo/*)
Metadata path kv/metadata/disinto/shared/forgejo is also granted read+list
consul-template with secret "kv/data/disinto/shared/forgejo" resolves without 403 (verified via vault policy read service-forgejo)
shellcheck clean (no shell changes expected)

Flagged by AI reviewer in PR #897. ## Problem The policy at `vault/policies/service-forgejo.hcl` grants: ```hcl path "kv/data/disinto/shared/forgejo/*" { capabilities = ["read"] } ``` But the consul-template stanza in `nomad/jobs/forgejo.hcl` reads: ``` {{- with secret "kv/data/disinto/shared/forgejo" -}} ``` Vault glob `/*` requires at least one path segment after `forgejo/` (e.g. `forgejo/subkey`). It does **not** match the bare path `kv/data/disinto/shared/forgejo` that the template actually calls. Vault ACL longest-prefix matching: `forgejo/*` is never hit for a request to `forgejo`. Runtime consequence: consul-template `with` block receives a 403 permission denied → evaluates to empty (false) → `else` branch renders `seed-me` placeholder values → Forgejo starts with obviously-wrong secrets despite `vault-seed-forgejo.sh` having run successfully. ## Fix Replace the glob with an exact path in `vault/policies/service-forgejo.hcl`: ```hcl path "kv/data/disinto/shared/forgejo" { capabilities = ["read"] } path "kv/metadata/disinto/shared/forgejo" { capabilities = ["list", "read"] } ``` (The `/*` glob is only useful if future subkeys are written under `forgejo/`; the current design stores both secrets in a single KV document at the `forgejo` path.) This is a pre-existing defect in `vault/policies/service-forgejo.hcl`; that file was not changed by PR #897. --- *Auto-created from AI review* ## Affected files - `vault/policies/service-forgejo.hcl` — replace glob path with exact path + metadata path ## Acceptance criteria - [ ] `vault/policies/service-forgejo.hcl` grants exact path `kv/data/disinto/shared/forgejo` (not `forgejo/*`) - [ ] Metadata path `kv/metadata/disinto/shared/forgejo` is also granted read+list - [ ] consul-template `with secret "kv/data/disinto/shared/forgejo"` resolves without 403 (verified via `vault policy read service-forgejo`) - [ ] `shellcheck` clean (no shell changes expected)