fix: correct field from bao

2026-03-18 03:15:11 +01:00
parent 005cd7b60e
commit 9e0eb5b583
8 changed files with 125 additions and 16 deletions
--- a/pkgs/helpers/pycache/cli.cpython-313.pyc
+++ b/pkgs/helpers/pycache/cli.cpython-313.pyc
--- a/pkgs/helpers/cli.py
+++ b/pkgs/helpers/cli.py
@@ -128,8 +128,9 @@ def build_parser() -> argparse.ArgumentParser:
    init_host_parser = openbao_subparsers.add_parser("init-host", help="Create policy, AppRole, and bootstrap files.")
    init_host_parser.add_argument("--name", required=True, help="Host name, e.g. vps2.")
    init_host_parser.add_argument("--namespace", default="it", help="OpenBao namespace. Default: it.")
+    init_host_parser.add_argument("--kv-mount", default="kv", help="KV v2 mount name. Default: kv.")
    init_host_parser.add_argument("--secret-path", default="tailscale", help="Logical secret path. Default: tailscale.")
-    init_host_parser.add_argument("--field", default="auth_key", help="Secret field. Default: auth_key.")
+    init_host_parser.add_argument("--field", default="CLIENT_SECRET", help="Secret field. Default: CLIENT_SECRET.")
    init_host_parser.add_argument("--auth-path", default="auth/approle", help="AppRole auth mount. Default: auth/approle.")
    init_host_parser.add_argument("--policy-name", help="Policy name. Default: tailscale-<host>.")
    init_host_parser.add_argument("--role-name", help="AppRole name. Default: tailscale-<host>.")
@@ -351,7 +352,7 @@ def cmd_openbao_init_host(args: argparse.Namespace) -> int:
    role_id_path = output_dir / "var" / "lib" / "nodeiwest" / "openbao-approle-role-id"
    secret_id_path = output_dir / "var" / "lib" / "nodeiwest" / "openbao-approle-secret-id"

-    secret_data = bao_kv_get(args.namespace, args.secret_path)
+    secret_data = bao_kv_get(args.namespace, args.kv_mount, args.secret_path)
    fields = secret_data.get("data", {})
    if isinstance(fields.get("data"), dict):
        fields = fields["data"]
@@ -363,11 +364,12 @@ def cmd_openbao_init_host(args: argparse.Namespace) -> int:
    if args.kv_mount_path:
        policy_content = render_openbao_policy(args.kv_mount_path)
    else:
-        policy_content = derive_openbao_policy(args.namespace, args.secret_path)
+        policy_content = derive_openbao_policy(args.namespace, args.kv_mount, args.secret_path)

    role_command = build_approle_write_command(args.auth_path, role_name, policy_name, args.cidr)

    print(f"Namespace: {args.namespace}")
+    print(f"KV mount: {args.kv_mount}")
    print(f"Policy name: {policy_name}")
    print(f"Role name: {role_name}")
    print(f"Secret path: {args.secret_path}")
@@ -1022,13 +1024,13 @@ def ensure_bao_authenticated() -> None:
    )


-def bao_kv_get(namespace: str, secret_path: str) -> dict[str, Any]:
+def bao_kv_get(namespace: str, kv_mount: str, secret_path: str) -> dict[str, Any]:
    result = run_command(
-        ["bao", "kv", "get", "-format=json", secret_path],
+        ["bao", "kv", "get", f"-mount={kv_mount}", "-format=json", secret_path],
        env={"BAO_NAMESPACE": namespace},
        next_fix=(
-            "Check BAO_ADDR, BAO_NAMESPACE, and the logical secret path. "
-            "If the path or mount is ambiguous, re-run with --kv-mount-path."
+            "Check BAO_ADDR, BAO_NAMESPACE, the KV mount, and the logical secret path. "
+            "If the KV mount is not the default, re-run with --kv-mount."
        ),
    )
    try:
@@ -1037,12 +1039,13 @@ def bao_kv_get(namespace: str, secret_path: str) -> dict[str, Any]:
        raise NodeiwestError(f"Failed to parse `bao kv get` JSON output: {exc}") from exc


-def derive_openbao_policy(namespace: str, secret_path: str) -> str:
+def derive_openbao_policy(namespace: str, kv_mount: str, secret_path: str) -> str:
    result = run_command(
-        ["bao", "kv", "get", "-output-policy", secret_path],
+        ["bao", "kv", "get", f"-mount={kv_mount}", "-output-policy", secret_path],
        env={"BAO_NAMESPACE": namespace},
        next_fix=(
-            "Check BAO_ADDR, BAO_NAMESPACE, and the logical secret path. "
+            "Check BAO_ADDR, BAO_NAMESPACE, the KV mount, and the logical secret path. "
+            "If the KV mount is not the default, re-run with --kv-mount. "
            "If policy derivation still does not match your mount layout, re-run with --kv-mount-path."
        ),
    )
@@ -1220,8 +1223,8 @@ def infer_verify_failures(
        messages.append("Missing AppRole files on the host. Check /var/lib/nodeiwest/openbao-approle-role-id and ...secret-id.")
    if any(fragment in combined for fragment in ["invalid secret id", "permission denied", "approle", "failed to authenticate"]):
        messages.append("OpenBao AppRole authentication failed. Re-check the role, secret_id, namespace, and auth mount.")
-    if any(fragment in combined for fragment in ["auth_key", "timed out waiting for rendered tailscale auth key", "no data", "secret path"]):
-        messages.append("OpenBao rendered no Tailscale auth key. Check the secret path, KV mount path, and auth_key field.")
+    if any(fragment in combined for fragment in ["CLIENT_SECRET", "timed out waiting for rendered tailscale auth key", "no data", "secret path"]):
+        messages.append("OpenBao rendered no Tailscale auth key. Check the secret path, KV mount path, and CLIENT_SECRET field.")
    if tailscale_status.returncode != 0 or "logged out" in (tailscale_status.stdout or "").lower():
        messages.append("Tailscale autoconnect is blocked. Check tailscaled-autoconnect, the rendered auth key, and outbound access to Tailscale.")

--- a/pkgs/helpers/tests/pycache/test_cli.cpython-313.pyc
+++ b/pkgs/helpers/tests/pycache/test_cli.cpython-313.pyc
--- a/pkgs/helpers/tests/test_cli.py
+++ b/pkgs/helpers/tests/test_cli.py
@@ -3,6 +3,7 @@ from __future__ import annotations
 import importlib.util
 import sys
 import unittest
+from unittest import mock
 from pathlib import Path


@@ -45,6 +46,28 @@ class HelperCliTests(unittest.TestCase):
        self.assertIn('device = lib.mkDefault "/dev/vda";', rendered)
        self.assertIn('size = "8GiB";', rendered)

+    def test_bao_kv_get_uses_explicit_kv_mount(self) -> None:
+        completed = mock.Mock()
+        completed.stdout = '{"data": {"data": {"CLIENT_ID": "x"}}}'
+        with mock.patch.object(cli, "run_command", return_value=completed) as run_command:
+            data = cli.bao_kv_get("it", "kv", "tailscale")
+
+        self.assertEqual(data["data"]["data"]["CLIENT_ID"], "x")
+        command = run_command.call_args.args[0]
+        self.assertEqual(command, ["bao", "kv", "get", "-mount=kv", "-format=json", "tailscale"])
+        self.assertEqual(run_command.call_args.kwargs["env"], {"BAO_NAMESPACE": "it"})
+
+    def test_derive_openbao_policy_uses_explicit_kv_mount(self) -> None:
+        completed = mock.Mock()
+        completed.stdout = 'path "kv/data/tailscale" { capabilities = ["read"] }\n'
+        with mock.patch.object(cli, "run_command", return_value=completed) as run_command:
+            policy = cli.derive_openbao_policy("it", "kv", "tailscale")
+
+        self.assertIn('path "kv/data/tailscale"', policy)
+        command = run_command.call_args.args[0]
+        self.assertEqual(command, ["bao", "kv", "get", "-mount=kv", "-output-policy", "tailscale"])
+        self.assertEqual(run_command.call_args.kwargs["env"], {"BAO_NAMESPACE": "it"})
+

 if __name__ == "__main__":
    unittest.main()