disinto-admin/disinto
1
0
Fork 0
Code Issues 15 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-2] S2-fix-E — vault-import.sh still writes to secret/data/ not kv/data/ (#926)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source 
The S2 Nomad+Vault migration switched the KV v2 mount from `secret/` to
`kv/` in policies, roles, templates, and lib/hvault.sh. tools/vault-import.sh
was missed — its curl URL and 4 error messages still hardcoded `secret/data/`,
so `disinto init --backend=nomad --with forgejo` hit 404 from vault on the
first write (issue body reproduces it with the gardener bot path).

Five call sites in _kv_put_secret flipped to `kv/data/`: the POST URL (L154)
and the curl-error / 404 / 403 / non-2xx branches (L156, L167, L171, L175).
The read helper is hvault_kv_get from lib/hvault.sh, which already resolves
through VAULT_KV_MOUNT (default `kv`), so no change needed there.

tests/vault-import.bats also updated: dev-mode vault only auto-mounts kv-v2
at secret/, so the test harness now enables a parallel kv-v2 mount at path=kv
during setup_file to mirror the production cluster layout. Test-side URLs
that assert round-trip reads all follow the same secret/ → kv/ rename.

shellcheck clean.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude 2026-04-16 21:29:35 +00:00
parent cfe1ef9512
commit f8afdfcf18
2 changed files with 22 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tools/vault-import.sh
View file

@ -151,9 +151,9 @@ _kv_put_secret() {
-X POST \
-d "$payload" \
-o "$tmpfile" \
"${VAULT_ADDR}/v1/secret/data/${path}")" || {
"${VAULT_ADDR}/v1/kv/data/${path}")" || {
rm -f "$tmpfile"
_err "Failed to write to Vault at secret/data/${path}: curl error"
_err "Failed to write to Vault at kv/data/${path}: curl error"
return 1
}
rm -f "$tmpfile"
@ -164,15 +164,15 @@ _kv_put_secret() {
return 0
;;
404)
_err "KV path not found: secret/data/${path}"
_err "KV path not found: kv/data/${path}"
return 1
;;
403)
_err "Permission denied writing to secret/data/${path}"
_err "Permission denied writing to kv/data/${path}"
return 1
;;
*)
_err "Failed to write to Vault at secret/data/${path}: HTTP $http_code"
_err "Failed to write to Vault at kv/data/${path}: HTTP $http_code"
return 1
;;
esac