[nomad-step-2] S2-fix-B — extract _hvault_default_env helper to lib/hvault.sh (prereq for other S2 fixes) #919

New issue

Closed

opened 2026-04-16 21:10:33 +00:00 by dev-bot · 1 comment

dev-bot commented

2026-04-16 21:10:33 +00:00

Collaborator

Part of the Nomad+Vault migration. Step-2 sub-bugfix (1/4). Replaces part of the consolidated #912.

Goal

Extract the VAULT_ADDR + VAULT_TOKEN default-to-local-cluster fallback into a single shared helper in lib/hvault.sh, callable from every Vault-touching script.

Why

disinto init --backend=nomad writes /etc/profile.d/disinto-nomad.sh but doesn't source it in the current process. Downstream scripts (vault-apply-policies.sh, vault-import.sh, vault-nomad-auth.sh, vault-apply-roles.sh) error "VAULT_ADDR not set" on the first invocation. Operators work around it by manually exporting, but the hero command should Just Work.

The previous attempt at this fix (#917, #918) failed the duplicate-detection CI gate because dev-qwen2 copy-pasted the defaulting block into two places. One shared helper, one call site per script.

Scope

In `lib/hvault.sh`

Add a function near the top (before any other function definitions):

# Ensure VAULT_ADDR and VAULT_TOKEN are set for local-cluster operation.
# Safe to call multiple times; no-op if both are already exported.
# Reads VAULT_TOKEN from /etc/vault.d/root.token if the file is readable.
_hvault_default_env() {
  : "${VAULT_ADDR:=http://127.0.0.1:8200}"
  export VAULT_ADDR
  if [ -z "${VAULT_TOKEN:-}" ] && [ -r /etc/vault.d/root.token ]; then
    VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
    export VAULT_TOKEN
  fi
}

Call sites that must replace any inline defaulting with a sourced call

tools/vault-apply-policies.sh — at the top after set -euo pipefail, add source "$(dirname "$0")/../lib/hvault.sh" && _hvault_default_env.
tools/vault-import.sh — same.
tools/vault-apply-roles.sh — same.
lib/init/nomad/vault-nomad-auth.sh — same (adjust relative path to ../../lib/hvault.sh).
Any other script that reads/writes Vault.

Inline VAULT_ADDR="${VAULT_ADDR:-...}" / cat /etc/vault.d/root.token blocks must be removed from the above files — they are now the shared helper's job.

Acceptance criteria

grep -R 'VAULT_ADDR=\${VAULT_ADDR' tools/ lib/init/nomad/ returns no matches (the helper is the only place with a default).
grep -R '/etc/vault.d/root.token' tools/ lib/init/nomad/ lib/hvault.sh | wc -l shows exactly 1 (the helper).
.woodpecker/ci.yml's duplicate-detection step passes.
disinto init --backend=nomad --empty works without any pre-exported VAULT_* env vars.
shellcheck clean.

Non-goals

Not changing the Vault-touching logic of any script — pure refactor.
Not adding other helpers to lib/hvault.sh — just this one function.

Labels / meta

[nomad-step-2] S2-fix-B — no dependencies. Prerequisite for S2-fix-A.

Resolved by merged PR #923 (merge commit cfe1ef95) which landed all 4 sub-issue fixes at once. Closing as superseded.

Part of the Nomad+Vault migration. **Step-2 sub-bugfix (1/4).** Replaces part of the consolidated #912. ## Goal Extract the `VAULT_ADDR` + `VAULT_TOKEN` default-to-local-cluster fallback into a single shared helper in `lib/hvault.sh`, callable from every Vault-touching script. ## Why `disinto init --backend=nomad` writes `/etc/profile.d/disinto-nomad.sh` but doesn't source it in the current process. Downstream scripts (vault-apply-policies.sh, vault-import.sh, vault-nomad-auth.sh, vault-apply-roles.sh) error "VAULT_ADDR not set" on the first invocation. Operators work around it by manually exporting, but the hero command should Just Work. The previous attempt at this fix (#917, #918) failed the duplicate-detection CI gate because dev-qwen2 copy-pasted the defaulting block into two places. One shared helper, one call site per script. ## Scope ### In `lib/hvault.sh` Add a function near the top (before any other function definitions): ```bash # Ensure VAULT_ADDR and VAULT_TOKEN are set for local-cluster operation. # Safe to call multiple times; no-op if both are already exported. # Reads VAULT_TOKEN from /etc/vault.d/root.token if the file is readable. _hvault_default_env() { : "${VAULT_ADDR:=http://127.0.0.1:8200}" export VAULT_ADDR if [ -z "${VAULT_TOKEN:-}" ] && [ -r /etc/vault.d/root.token ]; then VAULT_TOKEN="$(cat /etc/vault.d/root.token)" export VAULT_TOKEN fi } ``` ### Call sites that must replace any inline defaulting with a sourced call - `tools/vault-apply-policies.sh` — at the top after `set -euo pipefail`, add `source "$(dirname "$0")/../lib/hvault.sh" && _hvault_default_env`. - `tools/vault-import.sh` — same. - `tools/vault-apply-roles.sh` — same. - `lib/init/nomad/vault-nomad-auth.sh` — same (adjust relative path to `../../lib/hvault.sh`). - Any other script that reads/writes Vault. Inline `VAULT_ADDR="${VAULT_ADDR:-...}"` / `cat /etc/vault.d/root.token` blocks must be removed from the above files — they are now the shared helper's job. ## Acceptance criteria - `grep -R 'VAULT_ADDR=\${VAULT_ADDR' tools/ lib/init/nomad/` returns no matches (the helper is the only place with a default). - `grep -R '/etc/vault.d/root.token' tools/ lib/init/nomad/ lib/hvault.sh | wc -l` shows exactly 1 (the helper). - `.woodpecker/ci.yml`'s duplicate-detection step passes. - `disinto init --backend=nomad --empty` works without any pre-exported `VAULT_*` env vars. - `shellcheck` clean. ## Non-goals - Not changing the Vault-touching logic of any script — pure refactor. - Not adding other helpers to `lib/hvault.sh` — just this one function. ## Labels / meta - `[nomad-step-2] S2-fix-B` — no dependencies. Prerequisite for S2-fix-A. --- Resolved by merged PR #923 (merge commit cfe1ef95) which landed all 4 sub-issue fixes at once. Closing as superseded.