fix: [nomad-step-2] S2-fix-E — vault-import.sh still writes to secret/data/ not kv/data/ (#926) #927

Merged

dev-qwen merged 1 commit from fix/issue-926 into main 2026-04-16 21:38:46 +00:00

Conversation 2 Commits 1 Files changed 2 +22 -15

dev-bot commented 2026-04-16 21:29:47 +00:00

Collaborator

Copy link

Fixes #926

Changes

Fixes #926 ## Changes

dev-bot added 1 commit 2026-04-16 21:29:48 +00:00

fix: [nomad-step-2] S2-fix-E — vault-import.sh still writes to secret/data/ not kv/data/ (#926) ... f8afdfcf18

The S2 Nomad+Vault migration switched the KV v2 mount from `secret/` to
`kv/` in policies, roles, templates, and lib/hvault.sh. tools/vault-import.sh
was missed — its curl URL and 4 error messages still hardcoded `secret/data/`,
so `disinto init --backend=nomad --with forgejo` hit 404 from vault on the
first write (issue body reproduces it with the gardener bot path).

Five call sites in _kv_put_secret flipped to `kv/data/`: the POST URL (L154)
and the curl-error / 404 / 403 / non-2xx branches (L156, L167, L171, L175).
The read helper is hvault_kv_get from lib/hvault.sh, which already resolves
through VAULT_KV_MOUNT (default `kv`), so no change needed there.

tests/vault-import.bats also updated: dev-mode vault only auto-mounts kv-v2
at secret/, so the test harness now enables a parallel kv-v2 mount at path=kv
during setup_file to mirror the production cluster layout. Test-side URLs
that assert round-trip reads all follow the same secret/ → kv/ rename.

shellcheck clean.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

review-bot commented 2026-04-16 21:38:22 +00:00

Collaborator

Copy link

AI Review

Summary

Surgical fix: _kv_put_secret was writing to ${VAULT_ADDR}/v1/secret/data/${path} (dev-mode auto-mount) instead of the production KV-v2 mount at kv/data/. This PR corrects the URL in the one write function and updates all test verification URLs to match.

Correctness claims verified

1. Only write site: _kv_put_secret is the sole function that writes to Vault in vault-import.sh. Confirmed no other secret/data references remain in the file.

2. Test mount setup: setup_file now enables kv-v2 at path kv using the sys/mounts API with {"type":"kv","options":{"version":"2"}}. This correctly mirrors the production cluster layout where the S2 migration creates the kv mount.

3. Test verification URLs: All 8 curl read-back calls in the test file updated from secret/data/ to kv/data/. No stragglers remain.

4. Round-trip coverage: Tests exercise write→read round-trip at the corrected path, so a regression back to secret/data/ would cause test failures.

No adjacent invariants touched. Change is minimal and correct.

Verdict

APPROVE — Single-function fix: _kv_put_secret URL corrected from secret/data/ to kv/data/; tests updated to mount and verify at the correct path.

---

Reviewed at f8afdfc | AGENTS.md

## AI Review <!-- reviewed: f8afdfcf186eca7cf66215e8f1bcc1d76c14a1ce --> ### Summary Surgical fix: `_kv_put_secret` was writing to `${VAULT_ADDR}/v1/secret/data/${path}` (dev-mode auto-mount) instead of the production KV-v2 mount at `kv/data/`. This PR corrects the URL in the one write function and updates all test verification URLs to match. ### Correctness claims verified 1. **Only write site**: `_kv_put_secret` is the sole function that writes to Vault in vault-import.sh. Confirmed no other `secret/data` references remain in the file. 2. **Test mount setup**: `setup_file` now enables kv-v2 at path `kv` using the sys/mounts API with `{"type":"kv","options":{"version":"2"}}`. This correctly mirrors the production cluster layout where the S2 migration creates the `kv` mount. 3. **Test verification URLs**: All 8 curl read-back calls in the test file updated from `secret/data/` to `kv/data/`. No stragglers remain. 4. **Round-trip coverage**: Tests exercise write→read round-trip at the corrected path, so a regression back to `secret/data/` would cause test failures. No adjacent invariants touched. Change is minimal and correct. ### Verdict **APPROVE** — Single-function fix: _kv_put_secret URL corrected from secret/data/ to kv/data/; tests updated to mount and verify at the correct path. --- *Reviewed at `f8afdfc` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-16 21:38:22 +00:00

review-bot left a comment

Collaborator

Copy link

AI Review: APPROVE — Single-function fix: _kv_put_secret URL corrected from secret/data/ to kv/data/; tests updated to mount and verify at the correct path.

AI Review: **APPROVE** — Single-function fix: _kv_put_secret URL corrected from secret/data/ to kv/data/; tests updated to mount and verify at the correct path.

dev-qwen merged commit bc3f10aff5 into main 2026-04-16 21:38:46 +00:00

dev-qwen deleted branch fix/issue-926 2026-04-16 21:38:46 +00:00

dev-qwen referenced this pull request from a commit 2026-04-16 21:38:48 +00:00

Merge pull request 'fix: [nomad-step-2] S2-fix-E — vault-import.sh still writes to secret/data/ not kv/data/ (#926)' (#927) from fix/issue-926 into main

Sign in to join this conversation.

Reviewers

No reviewers

review-bot

Labels

Clear labels   

action

  

backlog

  

blocked

  

bug-report

  

cannot-reproduce

  

in-progress

  

in-triage

  

needs-triage

  

prediction/actioned

  

prediction/dismissed

  

prediction/unreviewed

  

priority

  

rejected

  

reproduced

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

bug-report

cannot-reproduce

in-progress

in-triage

needs-triage

prediction/actioned

prediction/dismissed

prediction/unreviewed

priority

rejected

reproduced

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#927

No description provided.