cli: add -kv-path flag to nomad setup vault#28183
Open
eyupcanakman wants to merge 1 commit into
Open
Conversation
The setup vault command hardcoded the Vault KV mount to "secret" in the generated nomad-workloads policy. Add a -kv-path flag (default "secret") that sets the mount the policy scopes, and reject an empty value.
eyupcanakman
force-pushed
the
feat/setup-vault-kv-path
branch
from
8eb0183 to
2dee7a7
Compare
github-project-automation
Bot
moved this to Needs Triage
in Nomad - Community Issues Triage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
nomad setup vaultgenerates the nomad-workloads policy with the KV secrets engine mount hardcoded to "secret". Clusters that mount their KV engine somewhere else, like at kv, have to hand-edit the generated policy before it works. The new-kv-pathflag sets the mount the policy scopes and defaults to "secret", so runs that leave it off are unchanged.The flag value replaces the "secret" mount in the embedded policy template, alongside the existing JWT accessor substitution, and the interactive description reflects it too. Passing
-kv-path kvscopes the policy under kv/ instead of secret/. An empty or slash-only value is rejected before the command touches Vault.jrasell confirmed on the issue that a configurable KV path makes sense.
Testing & Reproduction steps
TestSetupVaultCommand_renderVaultPolicychecks that the default mount leaves the policy byte-for-byte unchanged and that a few custom mounts rewrite all four path blocks.TestSetupVaultCommand_Run_emptyKVPathcovers the empty-value guard.I also ran the command against a Vault dev server. With no flag the created policy scopes secret/data as before, and with
-kv-path kvit scopes kv/data.Links
Closes #27915
AI usage
Per contributing/ai.md: I used an AI coding assistant while writing the flag wiring, the
renderVaultPolicyhelper, and the tests. I reviewed every line, confirmed the default output is unchanged, and verified the generated policy against a local Vault dev server.