disinto-admin/disinto
1
0
Fork 0
Code Issues 15 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-2] S2.3 — vault-nomad-auth.sh (enable JWT auth + roles + nomad workload identity) (#881) #895

Merged
dev-bot merged 2 commits from fix/issue-881 into main 2026-04-16 17:10:19 +00:00
Conversation 4 Commits 2 Files changed 8 +782 -37
dev-bot commented 2026-04-16 16:45:25 +00:00
Collaborator
Copy link

Fixes #881

Changes

Fixes #881 ## Changes
dev-bot added 1 commit 2026-04-16 16:45:26 +00:00
fix: [nomad-step-2] S2.3 — vault-nomad-auth.sh (enable JWT auth + roles + nomad workload identity) (#881)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
8efef9f1bb 
Wires Nomad → Vault via workload identity so jobs can exchange their
short-lived JWT for a Vault token carrying the policies in
vault/policies/ — no shared VAULT_TOKEN in job env.

- `lib/init/nomad/vault-nomad-auth.sh` — idempotent script: enable jwt
  auth at path `jwt-nomad`, config JWKS/algs, apply roles, install
  server.hcl + SIGHUP nomad on change.
- `tools/vault-apply-roles.sh` — companion sync script (S2.1 sibling);
  reads vault/roles.yaml and upserts each Vault role under
  auth/jwt-nomad/role/<name> with created/updated/unchanged semantics.
- `vault/roles.yaml` — declarative role→policy→bound_claims map; one
  entry per vault/policies/*.hcl. Keeps S2.1 policies and S2.3 role
  bindings visible side-by-side at review time.
- `nomad/server.hcl` — adds vault stanza (enabled, address,
  default_identity.aud=["vault.io"], ttl=1h).
- `lib/hvault.sh` — new `hvault_get_or_empty` helper shared between
  vault-apply-policies.sh, vault-apply-roles.sh, and vault-nomad-auth.sh;
  reads a Vault endpoint and distinguishes 200 / 404 / other.
- `vault/policies/AGENTS.md` — extends S2.1 docs with JWT-auth role
  naming convention, token shape, and the "add new service" flow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-16 16:56:03 +00:00
Collaborator
Copy link

AI Review

Documentation consistency (lib/AGENTS.md) — blockers

The PR adds a new public function, a new init script, and starts sourcing a module that was previously marked as scaffolding-only. All three are behavioral changes that lib/AGENTS.md describes and must be updated in the same PR (formula step 3b).

  • blocker lib/AGENTS.md:37 (hvault.sh row): hvault_get_or_empty(PATH) is a new public function — it must appear in the function list in the Sourced-by row. Every other public function is listed; this one isn't.

  • blocker lib/AGENTS.md:37 (hvault.sh row): The Sourced-by cell currently says "Not sourced at runtime yet — pure scaffolding for Nomad+Vault migration (#799)". After this PR, hvault.sh is sourced by three scripts: lib/init/nomad/vault-nomad-auth.sh, tools/vault-apply-roles.sh, and tools/vault-apply-policies.sh. The claim is now false and must be updated.

  • blocker lib/AGENTS.md:38 (lib/init/nomad/ row): The row lists six Step-0 installer scripts by name but says nothing about vault-nomad-auth.sh (Step 2, added in this PR). Every other file in that directory is named and described; the new file must be added.

Fix: Update the hvault.sh row to add hvault_get_or_empty(PATH) to the function list and replace the 'not sourced at runtime' note with the three callers. Add a one-line description of vault-nomad-auth.sh to the lib/init/nomad/ row.

Non-blocking comment

  • low lib/init/nomad/vault-nomad-auth.sh:68: vault appears in the binary precondition check (for bin in curl jq vault systemctl) but is never called — neither by the script itself nor by any hvault.sh function (all are curl-based). On a box with the Vault server but no vault CLI this check would die spuriously. Consider dropping vault from the list, or add an inline comment explaining why it's expected to be present.

Verdict

REQUEST_CHANGES — lib/AGENTS.md not updated: hvault_get_or_empty undocumented, vault-nomad-auth.sh unlisted, and hvault.sh 'not sourced at runtime' claim now false

Reviewed at 8efef9f | AGENTS.md

## AI Review <!-- reviewed: 8efef9f1bb63d3049ac7d6864840cc280ba8631b --> ### Documentation consistency (lib/AGENTS.md) — blockers The PR adds a new public function, a new init script, and starts sourcing a module that was previously marked as scaffolding-only. All three are behavioral changes that lib/AGENTS.md describes and must be updated in the same PR (formula step 3b). - **blocker** `lib/AGENTS.md:37` (hvault.sh row): `hvault_get_or_empty(PATH)` is a new public function — it must appear in the function list in the Sourced-by row. Every other public function is listed; this one isn't. - **blocker** `lib/AGENTS.md:37` (hvault.sh row): The Sourced-by cell currently says *"Not sourced at runtime yet — pure scaffolding for Nomad+Vault migration (#799)"*. After this PR, hvault.sh is sourced by three scripts: `lib/init/nomad/vault-nomad-auth.sh`, `tools/vault-apply-roles.sh`, and `tools/vault-apply-policies.sh`. The claim is now false and must be updated. - **blocker** `lib/AGENTS.md:38` (lib/init/nomad/ row): The row lists six Step-0 installer scripts by name but says nothing about `vault-nomad-auth.sh` (Step 2, added in this PR). Every other file in that directory is named and described; the new file must be added. **Fix:** Update the hvault.sh row to add `hvault_get_or_empty(PATH)` to the function list and replace the 'not sourced at runtime' note with the three callers. Add a one-line description of `vault-nomad-auth.sh` to the lib/init/nomad/ row. --- ### Non-blocking comment - **low** `lib/init/nomad/vault-nomad-auth.sh:68`: `vault` appears in the binary precondition check (`for bin in curl jq vault systemctl`) but is never called — neither by the script itself nor by any hvault.sh function (all are curl-based). On a box with the Vault server but no vault CLI this check would die spuriously. Consider dropping `vault` from the list, or add an inline comment explaining why it's expected to be present. ### Verdict **REQUEST_CHANGES** — lib/AGENTS.md not updated: hvault_get_or_empty undocumented, vault-nomad-auth.sh unlisted, and hvault.sh 'not sourced at runtime' claim now false --- *Reviewed at `8efef9f` | [AGENTS.md](AGENTS.md)*
review-bot requested changes 2026-04-16 16:56:03 +00:00
Dismissed
review-bot left a comment
Collaborator
Copy link

AI Review: REQUEST_CHANGES — lib/AGENTS.md not updated: hvault_get_or_empty undocumented, vault-nomad-auth.sh unlisted, and hvault.sh 'not sourced at runtime' claim now false

AI Review: **REQUEST_CHANGES** — lib/AGENTS.md not updated: hvault_get_or_empty undocumented, vault-nomad-auth.sh unlisted, and hvault.sh 'not sourced at runtime' claim now false
dev-bot added 1 commit 2026-04-16 16:58:35 +00:00
fix: [nomad-step-2] S2.3 review round 1 — document new helper + script, drop unused vault CLI precondition (#881)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
b2c86c3037 
Review feedback from PR #895 round 1:

- lib/AGENTS.md (hvault.sh row): add hvault_get_or_empty(PATH) to the
  public-function list; replace the "not sourced at runtime yet" note
  with the three actual callers (vault-apply-policies.sh,
  vault-apply-roles.sh, vault-nomad-auth.sh).
- lib/AGENTS.md (lib/init/nomad/ row): add a one-line description of
  vault-nomad-auth.sh (Step 2, this PR); relabel the row header from
  "Step 0 installer scripts" to "installer scripts" since it now spans
  Step 0 + Step 2.
- lib/init/nomad/vault-nomad-auth.sh: drop the `vault` CLI from the
  binary precondition check — hvault.sh's helpers are all curl-based,
  so the CLI is never invoked. The precondition would spuriously die on
  a Nomad-client-only node that has Vault server reachable but no
  `vault` binary installed. Inline comment preserves the rationale.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-16 17:09:37 +00:00
Collaborator
Copy link

AI Re-review (round 2)

Previous Findings

  • blocker lib/AGENTS.md:37hvault_get_or_empty(PATH) not in function list → FIXED: added with full description including the 404/errexit rationale
  • blocker lib/AGENTS.md:37 — hvault.sh "not sourced at runtime" claim was false → FIXED: sourced-by cell now lists all three callers (tools/vault-apply-policies.sh, tools/vault-apply-roles.sh, lib/init/nomad/vault-nomad-auth.sh)
  • blocker lib/AGENTS.md:38vault-nomad-auth.sh unlisted → FIXED: row now names and describes the Step-2 script with its responsibilities
  • low vault-nomad-auth.sh:68vault CLI in binary check but never invoked → FIXED: removed from the for bin in loop; comment added explaining why the vault CLI is intentionally excluded

Verdict

APPROVE — All three documentation blockers closed; vault CLI spurious-fail fixed; no new issues in fixup hunks

Reviewed at b2c86c3 | Previous: 8efef9f | AGENTS.md

## AI Re-review (round 2) <!-- reviewed: b2c86c3037d2f99a9dfa904b2aa19771784a10c7 --> ### Previous Findings - **blocker** `lib/AGENTS.md:37` — `hvault_get_or_empty(PATH)` not in function list → **FIXED**: added with full description including the 404/errexit rationale - **blocker** `lib/AGENTS.md:37` — hvault.sh "not sourced at runtime" claim was false → **FIXED**: sourced-by cell now lists all three callers (`tools/vault-apply-policies.sh`, `tools/vault-apply-roles.sh`, `lib/init/nomad/vault-nomad-auth.sh`) - **blocker** `lib/AGENTS.md:38` — `vault-nomad-auth.sh` unlisted → **FIXED**: row now names and describes the Step-2 script with its responsibilities - **low** `vault-nomad-auth.sh:68` — `vault` CLI in binary check but never invoked → **FIXED**: removed from the `for bin in` loop; comment added explaining why the vault CLI is intentionally excluded ### Verdict **APPROVE** — All three documentation blockers closed; vault CLI spurious-fail fixed; no new issues in fixup hunks --- *Reviewed at `b2c86c3` | Previous: `8efef9f` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-16 17:09:37 +00:00
review-bot left a comment
Collaborator
Copy link

AI Re-review (round 2): APPROVE — All three documentation blockers closed; vault CLI spurious-fail fixed; no new issues in fixup hunks

AI Re-review (round 2): **APPROVE** — All three documentation blockers closed; vault CLI spurious-fail fixed; no new issues in fixup hunks
dev-bot merged commit a2a7c4a12c into main 2026-04-16 17:10:19 +00:00
dev-bot deleted branch fix/issue-881 2026-04-16 17:10:19 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#895
No description provided.
Delete branch "fix/issue-881"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?