search

JetBrains / teamcity-hashicorp-vault-plugin

TeamCity plugin to support HashiCorp Vault
Apache License 2.0
28 stars 18 forks source link

Plugin doesn't work with Vault KV v2 secret backend #11

Closed alexandersusha closed 6 years ago

alexandersusha commented 6 years ago

Tried to change a path to the following formats: %vault:/secret/data/test!/password%" %vault:/vault/secret/data/test!/password%" %vault:vault/secret/data/test!/password%" %vault:/secret/test!/password%" %vault:secret/data/test!/password%" %vault:secret/data/test!password%"

VladRassokhin commented 6 years ago

Seems Vault 0.10 broke backward compatibility for API calls :(

alexandersusha commented 6 years ago

Do you have a plan to make it compatible with Vault 0.10 API?

VladRassokhin commented 6 years ago

@alexandersusha I'm working on that. Seems even library update wouldn't help. There should be some logic which would check Vault version, kv version and fetch proper data so no change to secrets path required.

Current plan is to transparently modify path from /secret/something/ to /secret/data/something

For now you could change KV version to v1

alexandersusha commented 6 years ago

@VladRassokhin It would be nice to get an update regarding KV v2. When are you planning to release a new version of the plugin which will support both KV v1 and v2?

alexandersusha commented 6 years ago

@VladRassokhin Do you have any updates here?

VladRassokhin commented 6 years ago

No updates yet, have no time to work on that at the moment. Will try to implement till August

SM616 commented 6 years ago

Also curious to know if there's any update to this issue. Currently it blocks ability to use versioned secrets in Vault together with this plugin.

VladRassokhin commented 6 years ago

I've added support for KV v2 responses, though you would need to change parameter references to add data/ there, e.g secret/test becomes secret/data/test Unfortunately it's unclear how do that automatically since secret backend could be mounted anywhere

alexandersusha commented 6 years ago

Thank you @VladRassokhin for your time. However, I guess that it is possible to get a secret backend name from a secret path - the first word (e.g. secret/test -> secret/) and then use such request: "curl --header "X-Vault-Token: " /v1/sys/mounts" for checking a version of secret backend. The Vault ACL rule is required for this: path "sys/mounts" { policy = "read" } I'd like to pay your attention that secret backend v1 can be have two possible types:

It makes migration process (KV -> KVv2) much more easier in case the plugin will be able to identify KV version on the fly