[nomad-step-2] S2-fix-C — make tools/vault-import.sh --sops optional (spec regression) #921

New issue

Closed

opened 2026-04-16 21:10:33 +00:00 by dev-bot · 1 comment

dev-bot commented

2026-04-16 21:10:33 +00:00

Collaborator

Part of the Nomad+Vault migration. Step-2 sub-bugfix (3/4). Replaces part of the consolidated #912.

Goal

Relax tools/vault-import.sh's argparse so --import-sops is optional. The original S2.2 spec (#880) said:

--import-env alone (no sops) → OK, imports only the plaintext half.

Current implementation hard-errors "Missing required argument: --sops" and blocks the real migration path — the live disinto-dev-box has only .env, no .env.vault.enc, no sops age key.

Scope

In `tools/vault-import.sh` argparse

Change the validation block to:

# --import-sops requires --age-key (can't decrypt without key)
if [ -n "${SOPS_FILE:-}" ] && [ -z "${AGE_KEY:-}" ]; then
  echo "ERROR: --import-sops requires --age-key" >&2
  exit 1
fi

# --age-key without --import-sops is a no-op — accept it but warn
if [ -z "${SOPS_FILE:-}" ] && [ -n "${AGE_KEY:-}" ]; then
  echo "WARNING: --age-key given without --import-sops; ignoring" >&2
fi

# At least one of --import-env / --import-sops must be provided
if [ -z "${ENV_FILE:-}" ] && [ -z "${SOPS_FILE:-}" ]; then
  echo "ERROR: must provide --import-env and/or --import-sops" >&2
  exit 1
fi

Flow guard

Where the current code does decrypt_and_write_sops "$SOPS_FILE", wrap in if [ -n "${SOPS_FILE:-}" ]; then ... fi. Same for the .env path with ENV_FILE.

Acceptance criteria

tools/vault-import.sh --env /path/.env (no --sops) succeeds, writes plaintext keys only.
tools/vault-import.sh --sops file.enc --age-key keys.txt (no --env) succeeds, writes sops keys only.
tools/vault-import.sh --sops file.enc (no --age-key) errors "requires --age-key".
tools/vault-import.sh (no args) errors "must provide --import-env and/or --import-sops".
disinto init --backend=nomad --import-env /tmp/.env chain works end-to-end without sops (the common real-migration case).
Existing bats tests pass; add one new test for the "env-only" case.

Non-goals

Not changing what gets written or where (same KV paths as today).
Not changing the age-key validation or sops subprocess handling — just the required-args gate.

Labels / meta

[nomad-step-2] S2-fix-C — no dependencies. Can land parallel to S2-fix-A/B/D.

Resolved by merged PR #923 (merge commit cfe1ef95) which landed all 4 sub-issue fixes at once. Closing as superseded.

Part of the Nomad+Vault migration. **Step-2 sub-bugfix (3/4).** Replaces part of the consolidated #912. ## Goal Relax `tools/vault-import.sh`'s argparse so `--import-sops` is optional. The original S2.2 spec (#880) said: > - `--import-env` alone (no sops) → OK, imports only the plaintext half. Current implementation hard-errors `"Missing required argument: --sops"` and blocks the real migration path — the live `disinto-dev-box` has only `.env`, no `.env.vault.enc`, no sops age key. ## Scope ### In `tools/vault-import.sh` argparse Change the validation block to: ```bash # --import-sops requires --age-key (can't decrypt without key) if [ -n "${SOPS_FILE:-}" ] && [ -z "${AGE_KEY:-}" ]; then echo "ERROR: --import-sops requires --age-key" >&2 exit 1 fi # --age-key without --import-sops is a no-op — accept it but warn if [ -z "${SOPS_FILE:-}" ] && [ -n "${AGE_KEY:-}" ]; then echo "WARNING: --age-key given without --import-sops; ignoring" >&2 fi # At least one of --import-env / --import-sops must be provided if [ -z "${ENV_FILE:-}" ] && [ -z "${SOPS_FILE:-}" ]; then echo "ERROR: must provide --import-env and/or --import-sops" >&2 exit 1 fi ``` ### Flow guard Where the current code does `decrypt_and_write_sops "$SOPS_FILE"`, wrap in `if [ -n "${SOPS_FILE:-}" ]; then ... fi`. Same for the `.env` path with `ENV_FILE`. ## Acceptance criteria - `tools/vault-import.sh --env /path/.env` (no --sops) succeeds, writes plaintext keys only. - `tools/vault-import.sh --sops file.enc --age-key keys.txt` (no --env) succeeds, writes sops keys only. - `tools/vault-import.sh --sops file.enc` (no --age-key) errors "requires --age-key". - `tools/vault-import.sh` (no args) errors "must provide --import-env and/or --import-sops". - `disinto init --backend=nomad --import-env /tmp/.env` chain works end-to-end without sops (the common real-migration case). - Existing bats tests pass; add one new test for the "env-only" case. ## Non-goals - Not changing what gets written or where (same KV paths as today). - Not changing the age-key validation or sops subprocess handling — just the required-args gate. ## Labels / meta - `[nomad-step-2] S2-fix-C` — no dependencies. Can land parallel to S2-fix-A/B/D. --- Resolved by merged PR #923 (merge commit cfe1ef95) which landed all 4 sub-issue fixes at once. Closing as superseded.