vault: distinguish Vaultwarden vs HashiCorp Vault, add vault kv
`homelab vault` only spoke to Vaultwarden (the password manager), but the name reads as HashiCorp Vault (the infra secrets store — actually OpenBao here). Make the two unmistakable and support both. Distinction (no breakage — the existing Vaultwarden verbs are unchanged): - bare `homelab vault` help now LEADS with the two-stores split; - every verb summary is tagged `[vaultwarden]` or `[hashicorp-vault]`; - HashiCorp Vault/OpenBao lives under a clearly-named `vault kv` group. New `vault kv` (HashiCorp Vault / OpenBao, the secret/… KV store): - `kv get <path> [--field K]` — read; --field → one value (TTY-aware clipboard/stdout), no field → full secret JSON (refuses a bare TTY). - `kv list <path>` — list sub-paths (no values). - `kv put <path> <key>` — write one key; value via stdin (piped or no-echo prompt, never argv); creates the path or merges (never clobbers siblings; uses kv patch -method=rw so no `patch` cap needed). Critical: `kv` uses the caller's OWN Vault token (OIDC ~/.vault-token / $VAULT_TOKEN), NOT the per-user scoped Vaultwarden token (bound only to claude-users/<user>, which would 403 elsewhere) — handlers set VAULT_ADDR but never inject the scoped token. Access is whatever the policy grants. Logic in cmd_vault_kv.go (pure cores extractKVData/parseKVList/arg builders/kvGet/List/Put; file header documents the credential split). CLI v0.11.0. Tests: no value in put argv, create-then-merge, KV-v2 envelope strip, help names both systems. Verified e2e against live Vault (read key-names-only + a scratch put/merge/cleanup). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
a1cf7ccaf6
commit
e03e4719ad
6 changed files with 492 additions and 21 deletions
|
|
@ -244,6 +244,27 @@ vault wouldn't show up until the next login. The sync is **best-effort**: a
|
|||
transient failure warns on stderr and falls back to the cached vault rather than
|
||||
failing the read.
|
||||
|
||||
### v0.11 — `vault kv` (HashiCorp Vault / OpenBao infra secrets)
|
||||
|
||||
`homelab vault` now fronts **two unrelated stores**, made explicit in the bare
|
||||
`homelab vault` help and via `[vaultwarden]` / `[hashicorp-vault]` summary tags:
|
||||
|
||||
- **Vaultwarden** — your personal password manager (`vault get/list/code/…`, unchanged).
|
||||
- **HashiCorp Vault / OpenBao** — homelab infra secrets, the `secret/…` KV store, under `vault kv`.
|
||||
|
||||
| Command | Tier | What it does |
|
||||
| --- | --- | --- |
|
||||
| `vault kv get <path> [--field K]` | read | read a secret: `--field K` → one value (TTY-aware clipboard/stdout); no field → all fields as JSON (refuses a bare TTY) |
|
||||
| `vault kv list <path>` | read | list sub-paths under `<path>` (no values) |
|
||||
| `vault kv put <path> <key>` | write | write one key; **value via stdin** (piped or no-echo prompt, never argv); creates the path or **merges** (never clobbers siblings) |
|
||||
|
||||
**Different credentials:** the Vaultwarden verbs use the per-user *scoped* token
|
||||
(bound to `claude-users/<user>`); `vault kv` uses your **own** Vault token
|
||||
(`vault login -method=oidc` → `~/.vault-token`, or `$VAULT_TOKEN`) — the kv
|
||||
handlers set `VAULT_ADDR` but never inject the scoped token (which would 403 off
|
||||
its own path). Access is whatever your policy grants. Writes are merge-only;
|
||||
`put` (replace) / `delete` are out of scope — use the raw `vault` CLI.
|
||||
|
||||
## Build / install
|
||||
|
||||
Built from source to `/usr/local/bin/homelab` during devvm provisioning
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue