[nomad-step-2] S2-fix-A — enable kv-v2 at kv/ via new lib/init/nomad/vault-engines.sh #920

New issue

Closed

opened 2026-04-16 21:10:33 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 21:10:33 +00:00

Collaborator

Part of the Nomad+Vault migration. Step-2 sub-bugfix (2/4). Replaces part of the consolidated #912. Blocked by: #919 (S2-fix-B) (shared env helper).

Goal

Enable the kv-v2 secret engine at the kv/ mount during disinto init --backend=nomad. Currently vault secrets list on a freshly-provisioned cluster shows only cubbyhole/, identity/, sys/ — no kv/. Every policy in vault/policies/*.hcl, every role in vault/roles.yaml, every read/write in templates and import scripts addresses paths under kv/... and gets 403 because the mount doesn't exist.

Scope

Create lib/init/nomad/vault-engines.sh:

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=../../lib/hvault.sh
source "${SCRIPT_DIR}/../../lib/hvault.sh"
_hvault_default_env

log() { printf '[vault-engines] %s\n' "$*"; }

if vault secrets list -format=json 2>/dev/null | jq -e '."kv/"' >/dev/null; then
  log "kv-v2 at kv/ already enabled"
else
  log "enabling kv-v2 at kv/"
  vault secrets enable -path=kv -version=2 kv
fi

Wire into lib/init/nomad/cluster-up.sh after vault-init.sh + vault start succeed, before vault-apply-policies.sh runs. A new step between current 7 (start vault) and 9 (profile.d), renumbered appropriately.

Also wire into bin/disinto's nomad-backend flow so running disinto init --backend=nomad --empty produces a cluster with the kv mount enabled.

Acceptance criteria

Fresh LXC + disinto init --backend=nomad --empty followed by vault secrets list shows kv/ mount type kv (version 2).
Re-running init is a no-op (reports "kv-v2 at kv/ already enabled").
After kv/ is enabled, tools/vault-apply-policies.sh succeeds with no 403s.
shellcheck clean.

Non-goals

Not writing any secrets (import tool does that, S2-fix-C covers its separate bug).
Not touching other secret engines.

Labels / meta

[nomad-step-2] S2-fix-A — blocked by #919.

Resolved by merged PR #923 (merge commit cfe1ef95) which landed all 4 sub-issue fixes at once. Closing as superseded.

Part of the Nomad+Vault migration. **Step-2 sub-bugfix (2/4).** Replaces part of the consolidated #912. **Blocked by: #919 (S2-fix-B) (shared env helper).** ## Goal Enable the `kv-v2` secret engine at the `kv/` mount during `disinto init --backend=nomad`. Currently `vault secrets list` on a freshly-provisioned cluster shows only `cubbyhole/`, `identity/`, `sys/` — no `kv/`. Every policy in `vault/policies/*.hcl`, every role in `vault/roles.yaml`, every read/write in templates and import scripts addresses paths under `kv/...` and gets 403 because the mount doesn't exist. ## Scope Create `lib/init/nomad/vault-engines.sh`: ```bash #!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # shellcheck source=../../lib/hvault.sh source "${SCRIPT_DIR}/../../lib/hvault.sh" _hvault_default_env log() { printf '[vault-engines] %s\n' "$*"; } if vault secrets list -format=json 2>/dev/null | jq -e '."kv/"' >/dev/null; then log "kv-v2 at kv/ already enabled" else log "enabling kv-v2 at kv/" vault secrets enable -path=kv -version=2 kv fi ``` Wire into `lib/init/nomad/cluster-up.sh` **after** vault-init.sh + vault start succeed, **before** `vault-apply-policies.sh` runs. A new step between current 7 (start vault) and 9 (profile.d), renumbered appropriately. Also wire into `bin/disinto`'s nomad-backend flow so running `disinto init --backend=nomad --empty` produces a cluster with the kv mount enabled. ## Acceptance criteria - Fresh LXC + `disinto init --backend=nomad --empty` followed by `vault secrets list` shows `kv/` mount type `kv` (version 2). - Re-running init is a no-op (reports "kv-v2 at kv/ already enabled"). - After kv/ is enabled, `tools/vault-apply-policies.sh` succeeds with no 403s. - `shellcheck` clean. ## Non-goals - Not writing any secrets (import tool does that, S2-fix-C covers its separate bug). - Not touching other secret engines. ## Labels / meta - `[nomad-step-2] S2-fix-A` — blocked by #919. --- Resolved by merged PR #923 (merge commit cfe1ef95) which landed all 4 sub-issue fixes at once. Closing as superseded.