From 370986e96ef5651f51bf2f56039a0974a39e34ba Mon Sep 17 00:00:00 2001 From: Scott Solkhon Date: Thu, 5 Jan 2023 16:13:45 +0000 Subject: [PATCH] Add support for specifying Vault KV path This commit adds support for a Vault path that is relative to the root of the Vault KV store. This configuration is optional and will be a noop for existing deployments. Change-Id: If34c38c8f0a2f13ea90f564bfe5e933e5e748da4 --- castellan/key_manager/vault_key_manager.py | 8 ++++++-- castellan/options.py | 6 +++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/castellan/key_manager/vault_key_manager.py b/castellan/key_manager/vault_key_manager.py index 0bc4ea5e..f22f519a 100644 --- a/castellan/key_manager/vault_key_manager.py +++ b/castellan/key_manager/vault_key_manager.py @@ -54,6 +54,9 @@ _vault_opts = [ default=_DEFAULT_MOUNTPOINT, help='Mountpoint of KV store in Vault to use, for example: ' '{}'.format(_DEFAULT_MOUNTPOINT)), + cfg.StrOpt('kv_path', + help='Path relative to root of KV store in Vault to use.' + ), cfg.IntOpt('kv_version', default=_DEFAULT_VERSION, help='Version of KV store in Vault to use, for example: ' @@ -101,6 +104,7 @@ class VaultKeyManager(key_manager.KeyManager): self._approle_token_ttl = None self._approle_token_issue = None self._kv_mountpoint = self._conf.vault.kv_mountpoint + self._kv_path = self._conf.vault.kv_path self._kv_version = self._conf.vault.kv_version self._vault_url = self._conf.vault.vault_url self._namespace = self._conf.vault.namespace @@ -115,14 +119,14 @@ class VaultKeyManager(key_manager.KeyManager): return self._vault_url def _get_resource_url(self, key_id=None): - return '{}v1/{}/{}{}'.format( + return '{}v1/{}/{}{}{}'.format( self._get_url(), self._kv_mountpoint, '' if self._kv_version == 1 else 'data/' if key_id else 'metadata/', # no key_id is for listing and 'data/' doesn't works - + (self._kv_path + '/') if self._kv_path else '', key_id if key_id else '?list=true') @property diff --git a/castellan/options.py b/castellan/options.py index 012bfd20..a1097e00 100644 --- a/castellan/options.py +++ b/castellan/options.py @@ -39,7 +39,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, verify_ssl_path=None, api_class=None, vault_root_token_id=None, vault_approle_role_id=None, vault_approle_secret_id=None, - vault_kv_mountpoint=None, vault_url=None, + vault_kv_mountpoint=None, vault_kv_path=None, vault_url=None, vault_ssl_ca_crt_file=None, vault_use_ssl=None, vault_namespace=None, barbican_endpoint_type=None, @@ -61,6 +61,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, :param vault_approle_secret_id: Use this for the approle secret_id for vault. :param vault_kv_mountpoint: Mountpoint of KV store in vault to use. + :param vault_kv_path: Path relative to root of KV store in Vault to use. :param vault_url: Use this for the url for vault. :param vault_use_ssl: Use this to force vault driver to use ssl. :param vault_ssl_ca_crt_file: Use this for the CA file for vault. @@ -124,6 +125,9 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, if vault_kv_mountpoint is not None: conf.set_default('kv_mountpoint', vault_kv_mountpoint, group=vkm._VAULT_OPT_GROUP) + if vault_kv_path is not None: + conf.set_default('kv_path', vault_kv_path, + group=vkm._VAULT_OPT_GROUP) if vault_url is not None: conf.set_default('vault_url', vault_url, group=vkm._VAULT_OPT_GROUP)