[nomad-step-2] S2-fix-G — strip trailing /* from all vault policy paths (systemic 403) #951

New issue

Closed

opened 2026-04-17 08:55:10 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-17 08:55:10 +00:00

Collaborator

Step 3 verification: woodpecker-server template gets Missing: vault.read(kv/data/disinto/shared/woodpecker) even though the KV path exists and has data. Root cause: Vault policy uses trailing /* glob which doesn't match the exact path.

Root cause

service-forgejo.hcl (works):

path "kv/data/disinto/shared/forgejo" { capabilities = ["read"] }

service-woodpecker.hcl (broken):

path "kv/data/disinto/shared/woodpecker/*" { capabilities = ["read"] }

In Vault, path "foo/*" matches foo/bar but NOT foo itself. Nomad template reads kv/data/disinto/shared/woodpecker (exact path, no sub-key) → policy doesn't match → 403 → template blocks forever.

Scope — affects ALL 17 policies except service-forgejo

Every .hcl in vault/policies/ except service-forgejo.hcl has trailing /*:

bot-architect.hcl:   path "kv/data/disinto/bots/architect/*"
bot-dev.hcl:         path "kv/data/disinto/bots/dev/*"
bot-dev-qwen.hcl:    path "kv/data/disinto/bots/dev-qwen/*"
...all bot-*.hcl, runner-*.hcl, dispatcher.hcl, service-woodpecker.hcl

Fix

Strip /* from every path directive. One-liner:

cd vault/policies/
sed -i 's|/\*"|"|g' *.hcl

Then re-run tools/vault-apply-policies.sh to sync the updated policies to Vault.

Verify: vault policy read service-woodpecker | grep path shows no trailing /*.

Acceptance criteria

grep -r '/\*"' vault/policies/ returns zero matches.
Fresh LXC + disinto init --backend=nomad --import-env --with forgejo,woodpecker: WP server deploys healthy (template renders from Vault without 403).
vault policy fmt clean on all policy files.
This fix is a prerequisite for Steps 4–6: bot policies will hit the same 403 when agents try to read their tokens.

Labels / meta

backlog + bug-report. One sed command + policy re-apply.

Step 3 verification: woodpecker-server template gets `Missing: vault.read(kv/data/disinto/shared/woodpecker)` even though the KV path exists and has data. Root cause: **Vault policy uses trailing `/*` glob which doesn't match the exact path.** ## Root cause `service-forgejo.hcl` (works): ``` path "kv/data/disinto/shared/forgejo" { capabilities = ["read"] } ``` `service-woodpecker.hcl` (broken): ``` path "kv/data/disinto/shared/woodpecker/*" { capabilities = ["read"] } ``` In Vault, `path "foo/*"` matches `foo/bar` but NOT `foo` itself. Nomad template reads `kv/data/disinto/shared/woodpecker` (exact path, no sub-key) → policy doesn't match → 403 → template blocks forever. ## Scope — affects ALL 17 policies except service-forgejo Every `.hcl` in `vault/policies/` except `service-forgejo.hcl` has trailing `/*`: ``` bot-architect.hcl: path "kv/data/disinto/bots/architect/*" bot-dev.hcl: path "kv/data/disinto/bots/dev/*" bot-dev-qwen.hcl: path "kv/data/disinto/bots/dev-qwen/*" ...all bot-*.hcl, runner-*.hcl, dispatcher.hcl, service-woodpecker.hcl ``` ## Fix Strip `/*` from every `path` directive. One-liner: ```bash cd vault/policies/ sed -i 's|/\*"|"|g' *.hcl ``` Then re-run `tools/vault-apply-policies.sh` to sync the updated policies to Vault. Verify: `vault policy read service-woodpecker | grep path` shows no trailing `/*`. ## Acceptance criteria - `grep -r '/\*"' vault/policies/` returns zero matches. - Fresh LXC + `disinto init --backend=nomad --import-env --with forgejo,woodpecker`: WP server deploys healthy (template renders from Vault without 403). - `vault policy fmt` clean on all policy files. - This fix is a prerequisite for Steps 4–6: bot policies will hit the same 403 when agents try to read their tokens. ## Labels / meta - `backlog` + `bug-report`. One sed command + policy re-apply.