Merge "Add support for specifying Vault KV path"

castellan/key_manager/vault_key_manager.py

@@ -54,6 +54,9 @@ _vault_opts = [
                default=_DEFAULT_MOUNTPOINT,
                help='Mountpoint of KV store in Vault to use, for example: '
                     '{}'.format(_DEFAULT_MOUNTPOINT)),
+    cfg.StrOpt('kv_path',
+               help='Path relative to root of KV store in Vault to use.'
+               ),
     cfg.IntOpt('kv_version',
                default=_DEFAULT_VERSION,
                help='Version of KV store in Vault to use, for example: '
@@ -101,6 +104,7 @@ class VaultKeyManager(key_manager.KeyManager):
         self._approle_token_ttl = None
         self._approle_token_issue = None
         self._kv_mountpoint = self._conf.vault.kv_mountpoint
+        self._kv_path = self._conf.vault.kv_path
         self._kv_version = self._conf.vault.kv_version
         self._vault_url = self._conf.vault.vault_url
         self._namespace = self._conf.vault.namespace
@@ -115,14 +119,14 @@ class VaultKeyManager(key_manager.KeyManager):
         return self._vault_url
 
     def _get_resource_url(self, key_id=None):
-        return '{}v1/{}/{}{}'.format(
+        return '{}v1/{}/{}{}{}'.format(
             self._get_url(),
             self._kv_mountpoint,
 
             '' if self._kv_version == 1 else
             'data/' if key_id else
             'metadata/',  # no key_id is for listing and 'data/' doesn't works
-
+            (self._kv_path + '/') if self._kv_path else '',
             key_id if key_id else '?list=true')
 
     @property

castellan/options.py

@@ -39,7 +39,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
                  verify_ssl_path=None,
                  api_class=None, vault_root_token_id=None,
                  vault_approle_role_id=None, vault_approle_secret_id=None,
-                 vault_kv_mountpoint=None, vault_url=None,
+                 vault_kv_mountpoint=None, vault_kv_path=None, vault_url=None,
                  vault_ssl_ca_crt_file=None, vault_use_ssl=None,
                  vault_namespace=None,
                  barbican_endpoint_type=None,
@@ -61,6 +61,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
     :param vault_approle_secret_id: Use this for the approle secret_id
                                     for vault.
     :param vault_kv_mountpoint: Mountpoint of KV store in vault to use.
+    :param vault_kv_path: Path relative to root of KV store in Vault to use.
     :param vault_url: Use this for the url for vault.
     :param vault_use_ssl: Use this to force vault driver to use ssl.
     :param vault_ssl_ca_crt_file: Use this for the CA file for vault.
@@ -124,6 +125,9 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
         if vault_kv_mountpoint is not None:
             conf.set_default('kv_mountpoint', vault_kv_mountpoint,
                              group=vkm._VAULT_OPT_GROUP)
+        if vault_kv_path is not None:
+            conf.set_default('kv_path', vault_kv_path,
+                             group=vkm._VAULT_OPT_GROUP)
         if vault_url is not None:
             conf.set_default('vault_url', vault_url,
                              group=vkm._VAULT_OPT_GROUP)