search

PierreBeucher / novops

Cross-platform secret & config manager for development and CI environments
https://novops.dev
GNU Lesser General Public License v3.0
299 stars 13 forks source link

Vault namespace isn't regarded #124

Open depatl opened 2 weeks ago

depatl commented 2 weeks ago

I am trying to fetch a secret from Enterprise Vault and have to specify a namespace. I did not see any option to do it in the config.hashivault section, thus tried to export VAULT_NAMESPACE variable, but looks like it is not regarded either ... 

2024-08-30T18:45:08Z INFO  novops] Using /tmp as XDG did not seem available: $XDG_RUNTIME_DIR must be set
[2024-08-30T18:45:08Z INFO  novops] Using workdir: "/tmp/novops/501/vault/rtp-4"
[2024-08-30T18:45:08Z INFO  vaultrs::client] Using vault address from $VAULT_ADDR: https://keeper.cisco.com
[2024-08-30T18:45:08Z INFO  vaultrs::client] Using vault token from $VAULT_TOKEN
[2024-08-30T18:45:08Z INFO  vaultrs::client] Checking TLS verification using $VAULT_SKIP_VERIFY
[2024-08-30T18:45:08Z INFO  vaultrs::client] Using vault token from $VAULT_TOKEN
[2024-08-30T18:45:08Z INFO  tracing::span] new;
[2024-08-30T18:45:08Z INFO  vaultrs::kv2] read; mount="secret" path="my-app/secret"
[2024-08-30T18:45:08Z INFO  vaultrs::api] Executing secret/data/my-app/secret and expecting a response
[2024-08-30T18:45:08Z INFO  tracing::span] exec;
[2024-08-30T18:45:08Z INFO  rustify::endpoint] request; base="https://vault.***.com/"
[2024-08-30T18:45:08Z INFO  tracing::span] build_query;
[2024-08-30T18:45:08Z INFO  rustify::http] build_request; base="https://vault.***.com/" path="secret/data/intersight-ci-jenkins/generic-cec-iharness-user-credentials" method=GET
[2024-08-30T18:45:08Z INFO  rustify::http] build_url; base="https://vault.***.com/" path="secret/data/intersight-ci-jenkins/generic-cec-iharness-user-credentials"
[2024-08-30T18:45:08Z INFO  tracing::span] execute;
[2024-08-30T18:45:08Z INFO  tracing::span] send;
 ~/.config/cisco/keeper  [2024-08-30T18:45:08Z ERROR rustify::client] error=Server returned error                                                                      127 ✘
[2024-08-30T18:45:08Z ERROR rustify::endpoint] error=Server returned error
[2024-08-30T18:45:08Z ERROR vaultrs::api] Detected errors in API response: [
        "1 error occurred:\n\t* permission denied\n\n",
    ]
[2024-08-30T18:45:08Z ERROR vaultrs::kv2] error=The Vault server returned an error (status code 403)
Error: An error occured. Set environment variable RUST_LOG=[trace|debug|info|warn] or RUST_BACKTRACE=1 for more verbosity.

Caused by:
    0: Failed to load environment.
    1: Couldn't resolve variable input VariableInput { name: "IHARNESS_USER", value: HashiVaultKeyValueV2Input(HashiVaultKeyValueV2Input { hvault_kv2: HashiVaultKeyValueV2 { mount: None, path: "my-app/secret", key: "username" } }) }
    2: Error reading 'secret' mount at path 'my-app/secret'
    3: The Vault server returned an error (status code 403)
PierreBeucher commented 2 weeks ago

Indeed Vault enterprise namespacing is not yet implemented sorry, but it should be easy enough to add as it seems supported by vaultrs (crate used by Novops)

I think support could be:

config: hashivault: address: http://localhost:8200 namespace: ns_name # optional for Vault Enterprise users


- Via environment variable `VAULT_NAMESPACE`
- _Maybe_ also provide a per-environment or per-secret config though I fear it would be overkill 

It should be a small change to implement, i'll try to move forward by end of september.
depatl commented 1 week ago

I tried via .novops.yaml and global variable - it doesn't work.