Introduce Vault KVv2 secret storage support#68
Conversation
jeschkies
left a comment
jeschkies
left a comment
There was a problem hiding this comment.
This is a really nice solution. I just think we need to overhaul the credentials providers.
pkg/env.go
Outdated
| type secretFetcher interface { | ||
| FetchFromAWSSecretsManager(ctx context.Context, secretArn string) (string, error) | ||
| FetchFromAWSSSMParameterStore(ctx context.Context, parameterArn string) (string, error) | ||
| FetchFromVault(ctx context.Context, key string) (string, error) | ||
| HasVaultConfig() bool | ||
| SetVaultConfig(config *VaultKVCredentials) | ||
| } |
There was a problem hiding this comment.
I wonder if we should change it so that the fetcher is injected in main depending on the config. This way we don't need HasVaultConfig. We could also mimic the credentials chain like in AWS. We define a Provider interface and then implement each plus a ChainProvider.
There was a problem hiding this comment.
I've had a go at building what you suggest in 034da68 - let me know if it aligns with what you were thinking!
pkg/secrets.go
Outdated
| return "", fmt.Errorf("no auth info was returned after login") | ||
| } | ||
|
|
||
| data, err := client.KVv2(c.vaultConfig.mount).Get(ctx, c.vaultConfig.path) |
There was a problem hiding this comment.
I would have thought that Vault would call an API. Is this actually mounting a volume? Also, this only works if Vault is also hosted on AWS right?
There was a problem hiding this comment.
I think this is a terminology issue - Vault refers to the top-level list of Vaults as "mounts" (see this documentation). No volume mounting involved :) And yes, the AWS auth method only works if Vault is hosted on AWS.
Breaks the secretFilter interface into multiple providers, allowing a chained application of them, where applicable. Update unit tests to reflect the new behavior.
2 participants
Adds support for fetching secrets (the
USERNAME,PASSWORD, andBEARER_TOKEN) from a configured Vault KVv2 mount path. It uses the IAM authentication approaches described in the Vault AWS auth documentation, and the implementation is partly built around the provided code example.It extends the the secret client to store both the Vault configuration (role, mount, and path) and a cache of the fetched secret data, in order to minimise time fetching environment variables and requests to Vault.
If this implementation seems reasonable, I'd be happy to update the documentation to reflect its intended usage.