search

JetBrains / teamcity-hashicorp-vault-plugin

TeamCity plugin to support HashiCorp Vault
Apache License 2.0
28 stars 18 forks source link

Implement support for multiple vault connections on one project #12

Closed Hakon closed 6 years ago

Hakon commented 6 years ago

This implements support for multiple namespaced vault connections. This should solve issue #10 as well. This is a breaking change in the sense that the env parameter for the vault token has changed. I can implement backwards compatibility in the cases where only one connection is specified.

What do you think?

VladRassokhin commented 6 years ago

Thank you for contribution, I'd try it out tomorrow and probably would comment something else.

Hakon commented 6 years ago

I have had some thoughts about the naming of "prefix", is "namespace" a better name?

Hakon commented 6 years ago

As it stands now, the plugin postfixes the configuration parameters with the vault prefix (counter intuitive, i know) like this:

teamcity.vault.wrapped.token.test-vault

Is it better to have the prefix actually prefix the rest of the parameter name?

teamcity.test-vault.wrapped.token

In the case where you only have 1 connection called vault the parameter name is the same as before.

VladRassokhin commented 6 years ago

Maybe something like teamcity.vault.test.wrapped.token for custom and for default teamcity.vault.default.wrapped.token or even just teamcity.vault.wrapped.token?

VladRassokhin commented 6 years ago

@Hakon Could you please sign CLA if you haven't yet? https://www.jetbrains.com/agreements/cla/

Hakon commented 6 years ago

CLA has been signed. I could not get the project to load in intellij, there were some modules missing. 


index 889720b..bd78d19 100644
--- a/.idea/modules.xml
+++ b/.idea/modules.xml
@@ -2,16 +2,12 @@
 <project version="4">
   <component name="ProjectModuleManager">
     <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/modules/agent/agent.iml" filepath="$PROJECT_DIR$/.idea/modules/agent/agent.iml" group="agent" />
       <module fileurl="file://$PROJECT_DIR$/.idea/modules/agent/agent_main.iml" filepath="$PROJECT_DIR$/.idea/modules/agent/agent_main.iml" group="agent" />
       <module fileurl="file://$PROJECT_DIR$/.idea/modules/agent/agent_test.iml" filepath="$PROJECT_DIR$/.idea/modules/agent/agent_test.iml" group="agent" />
-      <module fileurl="file://$PROJECT_DIR$/.idea/modules/common/common.iml" filepath="$PROJECT_DIR$/.idea/modules/common/common.iml" group="common" />
       <module fileurl="file://$PROJECT_DIR$/.idea/modules/common/common_main.iml" filepath="$PROJECT_DIR$/.idea/modules/common/common_main.iml" group="common" />
       <module fileurl="file://$PROJECT_DIR$/.idea/modules/common/common_test.iml" filepath="$PROJECT_DIR$/.idea/modules/common/common_test.iml" group="common" />
-      <module fileurl="file://$PROJECT_DIR$/.idea/modules/server/server.iml" filepath="$PROJECT_DIR$/.idea/modules/server/server.iml" group="server" />
       <module fileurl="file://$PROJECT_DIR$/.idea/modules/server/server_main.iml" filepath="$PROJECT_DIR$/.idea/modules/server/server_main.iml" group="server" />
       <module fileurl="file://$PROJECT_DIR$/.idea/modules/server/server_test.iml" filepath="$PROJECT_DIR$/.idea/modules/server/server_test.iml" group="server" />
-      <module fileurl="file://$PROJECT_DIR$/.idea/modules/teamcity-hashicorp-vault-plugin.iml" filepath="$PROJECT_DIR$/.idea/modules/teamcity-hashicorp-vault-plugin.iml" />
     </modules>
   </component>
 </project>
\ No newline at end of file```
Hakon commented 6 years ago

Something like teamcity.vault.default.wrapped.token would break existing installs, is this problematic?

VladRassokhin commented 6 years ago

Just ignore unloaded modules or try reimporting project from build.gradle

Something like teamcity.vault.default.wrapped.token would break existing installs, is this problematic?

That's why I'd prefer teamcity.vault.wrapped.token. AFAIU that's doable

Hakon commented 6 years ago

I agree with teamcity.vault..wrapped.token or teamcity.vault.wrapped.token if default.

I also plan to make the following changes: VAULT_TOKEN.test-vault will be renamed to _VAULT_TOKEN, and VAULT_TOKEN if default Same goes for VAULT_ADDR.

I realized that VAULT_TOKEN.test-vault is not a valid environment variable in for example bash.

Hakon commented 6 years ago

I changed so that the vault connections are now enabled independently so if a build configuration has need for one connection none of the others needs to fetch token. With this I also added the teamcity.vault.set.env.<prefix> configuration variable to allow for environment variables from a subset of the connections.

VladRassokhin commented 6 years ago

Hi @Hakon. Thank you for contribution, I've finally had time to review and test it. I've changed name to 'namespace', changed how references should be constructed, so now there's always vault: prefix.