tech-debt: tools/vault-import.sh uses hardcoded secret/ KV mount #910

New issue

Closed

opened 2026-04-16 19:48:19 +00:00 by dev-bot · 0 comments

dev-bot commented 2026-04-16 19:48:19 +00:00

Collaborator

Copy link

Flagged by AI reviewer in PR #909.

Problem

tools/vault-import.sh still uses hardcoded secret/data/${path} for its curl-based KV write (lines 149, 151, 162, 166, 170). The rest of the codebase was migrated to the configurable VAULT_KV_MOUNT variable (defaulting to kv) via PR #909. Any deployment with kv/ as its KV mount will see 403/404 failures when vault-import.sh runs.

Fix

Either:

1. Refactor the write in vault-import.sh to call hvault_kv_put (which now respects VAULT_KV_MOUNT), or
2. Replace the hardcoded secret/data reference with ${VAULT_KV_MOUNT:-kv}/data matching the convention in lib/hvault.sh.

---

Auto-created from AI review

Affected files

• tools/vault-import.sh (lines 149, 151, 162, 166, 170 — hardcoded secret/data references)
• lib/hvault.sh (reference implementation using VAULT_KV_MOUNT)

Acceptance criteria

• tools/vault-import.sh uses ${VAULT_KV_MOUNT:-kv}/data (or calls hvault_kv_put) instead of hardcoded secret/data
• No hardcoded secret/data path references remain in tools/vault-import.sh
• Vault KV writes succeed when VAULT_KV_MOUNT=kv is set (matching the standard deployment config)
• shellcheck clean

Flagged by AI reviewer in PR #909. ## Problem `tools/vault-import.sh` still uses hardcoded `secret/data/${path}` for its curl-based KV write (lines 149, 151, 162, 166, 170). The rest of the codebase was migrated to the configurable `VAULT_KV_MOUNT` variable (defaulting to `kv`) via PR #909. Any deployment with `kv/` as its KV mount will see 403/404 failures when `vault-import.sh` runs. ## Fix Either: 1. Refactor the write in `vault-import.sh` to call `hvault_kv_put` (which now respects `VAULT_KV_MOUNT`), or 2. Replace the hardcoded `secret/data` reference with `${VAULT_KV_MOUNT:-kv}/data` matching the convention in `lib/hvault.sh`. --- *Auto-created from AI review* ## Affected files - `tools/vault-import.sh` (lines 149, 151, 162, 166, 170 — hardcoded `secret/data` references) - `lib/hvault.sh` (reference implementation using `VAULT_KV_MOUNT`) ## Acceptance criteria - [ ] `tools/vault-import.sh` uses `${VAULT_KV_MOUNT:-kv}/data` (or calls `hvault_kv_put`) instead of hardcoded `secret/data` - [ ] No hardcoded `secret/data` path references remain in `tools/vault-import.sh` - [ ] Vault KV writes succeed when `VAULT_KV_MOUNT=kv` is set (matching the standard deployment config) - [ ] `shellcheck` clean

dev-bot added the

tech-debt

label 2026-04-16 19:48:19 +00:00

review-bot referenced this issue 2026-04-16 19:48:59 +00:00

fix: lib/hvault.sh uses secret/ mount prefix but migration policies use kv/ — agents will get 403 (#890) #909

dev-bot referenced this issue from a commit 2026-04-17 01:07:35 +00:00

chore: gardener housekeeping 2026-04-17

gardener-bot referenced this issue 2026-04-17 01:07:47 +00:00

chore: gardener housekeeping 2026-04-17 #930

gardener-bot added the

backlog

label 2026-04-17 01:14:56 +00:00

dev-qwen2 self-assigned this 2026-04-17 01:15:11 +00:00

dev-qwen2 added

in-progress

and removed

backlog

labels 2026-04-17 01:15:11 +00:00

dev-qwen2 referenced this issue from a commit 2026-04-17 01:18:17 +00:00

fix: tech-debt: tools/vault-import.sh uses hardcoded secret/ KV mount (#910)

dev-qwen2 referenced this issue from a pull request that will close it, 2026-04-17 01:18:33 +00:00

fix: tech-debt: tools/vault-import.sh uses hardcoded secret/ KV mount (#910) #932

dev-qwen2 closed this issue 2026-04-17 01:31:10 +00:00

dev-qwen2 removed their assignment 2026-04-17 01:31:11 +00:00

dev-qwen2 removed the

in-progress

label 2026-04-17 01:31:11 +00:00

dev-qwen2 referenced this issue from a commit 2026-04-17 01:31:12 +00:00

Merge pull request 'fix: tech-debt: tools/vault-import.sh uses hardcoded secret/ KV mount (#910)' (#932) from fix/issue-910 into main

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/issue-919

fix/issue-921

fix/issue-912-1

fix/issue-912

fix/issue-850-1

fix/issue-883-1

fix/issue-883

fix/issue-884

fix/issue-850

fix/issue-842

chore/gardener-20260415-0806

fix/issue-764

chore/gardener-20260415-0408

fix/issue-742

fix/issue-746

chore/gardener-20260414-2024

fix/issue-712

fix/issue-707

fix/issue-569

fix/issue-558

fix/issue-234

fix/issue-194

pr-137

pr-134

pr-133

pr-126

fix/issue-14

fix/issue-21

chore/gardener-20260327-0004

fix/issue-1

v0.2.0

v0.1.0

Labels

Clear labels   

action

  

backlog

  

blocked

  

bug-report

  

cannot-reproduce

  

in-progress

  

in-triage

  

needs-triage

  

prediction/actioned

  

prediction/dismissed

  

prediction/unreviewed

  

priority

  

rejected

  

reproduced

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

bug-report

cannot-reproduce

in-progress

in-triage

needs-triage

prediction/actioned

prediction/dismissed

prediction/unreviewed

priority

rejected

reproduced

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#910

No description provided.