mosaicstack/stack
1
0
Fork 0
Code Issues 22 Pull Requests 7 Actions Packages Projects Releases 13 Wiki Activity

fix(framework): remediate Codex review findings in VAULT-SECRETS.md
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details
ci/woodpecker/pr/ci Pipeline failed
Details

Browse Source 
Two should-fix findings from automated Codex review:

1. Vault KV v2 policy path — add explicit path for exact top-level
   `secret/data/k3s/<app>` entry alongside the wildcard `/*` sub-path
   rule. Without the exact path, apps reading the top-level secret get
   permission denied from Vault KV v2 even with the wildcard.

2. Go envconfig example — remove unused `os` import from config.go
   snippet (os was only referenced in a comment). Move the main() usage
   to a separate clearly-labelled main.go block to make both snippets
   copy-paste compilable.

Both fixes mirrored to duplicate path:
  guides/ <-> packages/mosaic/framework/guides/

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Hermes Agent
2026-05-22 12:01:29 -05:00
parent 373e4558a3
commit e88a89f34d
2 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
guides/VAULT-SECRETS.md
View File

@@ -355,7 +355,6 @@ package config
import (
"fmt"
"os"
"github.com/kelseyhightower/envconfig"
)
@@ -373,10 +372,16 @@ func Load() (*Config, error) {
}
return &cfg, nil
}
```
// In main():
// cfg, err := config.Load()
// if err != nil { fmt.Fprintln(os.Stderr, err); os.Exit(1) }
In your `main.go`:
```go
cfg, err := config.Load()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
```
---
@@ -399,7 +404,12 @@ Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB
vault auth enable approle
# Create a Vault policy for the app
# Note: KV v2 paths require both the exact path (for the top-level secret) and the
# wildcard (for sub-paths). Always include both to avoid permission denied errors.
vault policy write <app>-policy - <<EOF
path "secret/data/k3s/<app>" {
capabilities = ["read"]
}
path "secret/data/k3s/<app>/*" {
capabilities = ["read"]
}

18
packages/mosaic/framework/guides/VAULT-SECRETS.md
View File

@@ -355,7 +355,6 @@ package config
import (
"fmt"
"os"
"github.com/kelseyhightower/envconfig"
)
@@ -373,10 +372,16 @@ func Load() (*Config, error) {
}
return &cfg, nil
}
```
// In main():
// cfg, err := config.Load()
// if err != nil { fmt.Fprintln(os.Stderr, err); os.Exit(1) }
In your `main.go`:
```go
cfg, err := config.Load()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
```
---
@@ -399,7 +404,12 @@ Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB
vault auth enable approle
# Create a Vault policy for the app
# Note: KV v2 paths require both the exact path (for the top-level secret) and the
# wildcard (for sub-paths). Always include both to avoid permission denied errors.
vault policy write <app>-policy - <<EOF
path "secret/data/k3s/<app>" {
capabilities = ["read"]
}
path "secret/data/k3s/<app>/*" {
capabilities = ["read"]
}