[nomad-step-2] S2-fix-E — vault-import.sh still writes to secret/data/ not kv/data/ #926

New issue

Closed

opened 2026-04-16 21:27:12 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 21:27:12 +00:00

Collaborator

Part of the Nomad+Vault migration. Step-2 sub-bugfix (5/4). Discovered during Step 2 re-verification on fresh LXC.

Symptom

After #923 landed and disinto init --backend=nomad --import-env /tmp/.env --with forgejo got past the earlier 4 bugs, vault-import.sh fails:

[vault-import] ERROR: KV path not found: secret/data/disinto/bots/gardener
[vault-import] ERROR: Failed to write to disinto/bots/gardener

Root cause

tools/vault-import.sh writes to ${VAULT_ADDR}/v1/secret/data/${path} — the legacy secret/ KV v1 prefix. The Step-2 migration switched everything to kv/ (v2) in policies, roles, templates, and lib/hvault.sh. vault-import.sh was missed.

Scope — exact lines in `tools/vault-import.sh` (main, `cfe1ef9`)

Line 154 is the curl URL; lines 156, 167, 171, 175 are error messages referencing the path:

154:    "${VAULT_ADDR}/v1/secret/data/${path}")" || {
156:    _err "Failed to write to Vault at secret/data/${path}: curl error"
167:      _err "KV path not found: secret/data/${path}"
171:      _err "Permission denied writing to secret/data/${path}"
175:      _err "Failed to write to Vault at secret/data/${path}: HTTP $http_code"

Change secret/data/ → kv/data/ in all five lines.

Also sanity-check the read helper if one exists (for idempotency diffs) — same fix.

Acceptance criteria

On fresh LXC + disinto init --backend=nomad --import-env /tmp/.env --with forgejo from disinto-dev-box's real .env, vault-import.sh completes without errors.
vault kv list kv/disinto/bots shows all the bot paths (review, dev, gardener, etc.).
vault kv get kv/disinto/bots/gardener returns the FORGE_GARDENER_TOKEN + FORGE_GARDENER_PASS from the source .env.
Re-running the import is idempotent.
shellcheck clean.

Why #923 missed this

Dev-bot's 4-in-1 PR (#923) covered the policy/mount/helper/template layers but treated vault-import.sh as already correct. The docs in its header comment (line 21+) already said kv/disinto/* — only the runtime code still pointed at secret/.

Labels / meta

backlog + bug-report. Tight scope, 5-line diff.

Part of the Nomad+Vault migration. **Step-2 sub-bugfix (5/4).** Discovered during Step 2 re-verification on fresh LXC. ## Symptom After #923 landed and `disinto init --backend=nomad --import-env /tmp/.env --with forgejo` got past the earlier 4 bugs, vault-import.sh fails: ``` [vault-import] ERROR: KV path not found: secret/data/disinto/bots/gardener [vault-import] ERROR: Failed to write to disinto/bots/gardener ``` ## Root cause `tools/vault-import.sh` writes to `${VAULT_ADDR}/v1/secret/data/${path}` — the **legacy `secret/`** KV v1 prefix. The Step-2 migration switched everything to **`kv/`** (v2) in policies, roles, templates, and `lib/hvault.sh`. vault-import.sh was missed. ## Scope — exact lines in `tools/vault-import.sh` (main, cfe1ef9) Line 154 is the curl URL; lines 156, 167, 171, 175 are error messages referencing the path: ``` 154: "${VAULT_ADDR}/v1/secret/data/${path}")" || { 156: _err "Failed to write to Vault at secret/data/${path}: curl error" 167: _err "KV path not found: secret/data/${path}" 171: _err "Permission denied writing to secret/data/${path}" 175: _err "Failed to write to Vault at secret/data/${path}: HTTP $http_code" ``` Change `secret/data/` → `kv/data/` in all five lines. Also sanity-check the read helper if one exists (for idempotency diffs) — same fix. ## Acceptance criteria - On fresh LXC + `disinto init --backend=nomad --import-env /tmp/.env --with forgejo` from disinto-dev-box's real `.env`, vault-import.sh completes without errors. - `vault kv list kv/disinto/bots` shows all the bot paths (review, dev, gardener, etc.). - `vault kv get kv/disinto/bots/gardener` returns the FORGE_GARDENER_TOKEN + FORGE_GARDENER_PASS from the source `.env`. - Re-running the import is idempotent. - `shellcheck` clean. ## Why #923 missed this Dev-bot's 4-in-1 PR (#923) covered the policy/mount/helper/template layers but treated vault-import.sh as already correct. The docs in its header comment (line 21+) already said `kv/disinto/*` — only the runtime code still pointed at `secret/`. ## Labels / meta - `backlog` + `bug-report`. Tight scope, 5-line diff.