add vault store

[fe80]

Hi,

This is a proposal, we actually work to use Vault as backend storage.

We eventually need help for review code and add spec.

Regards,

[duritong]

This is awesome and actually I though about doing it for a long time, but never got to the point where vault was required.

Anyway, I would love some more description how trocla keys are ending up in valt.

Also might it be desirable to have a (configurable) global prefix for keys in vault, so they go under their own path?

Also we should probably explain that kv is a mount in vault, which was not obvious to me at the beginning.

I wonder whether we need tests?

[IAmAStealer]

I think the main point to upgrade to vault for us might be to include acl to prepare for the future and improve global security. We do not have a main requirement now but it is a good thing to prepare for. Trocla keys, as I understand are just a pair of key/value. the secret engine kv and kv-v2 work the same so it is pretty easy to work with. The global prefix can just be the mount point for a start. But we are thinking how to adapt trocla to allow more options like adding a path for the key, in order to palce them where they belong for acl later on. Tests are surely required.

[dje4om]

@fe80 , does the ruby vault lib do abstraction between kv v1 and kv v2 engines ?

[dje4om]

Also might it be desirable to have a (configurable) global prefix for keys in vault, so they go under their own path?

A subpath parameter could be an option to be able to use an existing kv mount but a dedicated kv mount seems fine by default so the prefix could be the mount mount_name/secret, or with subpath mount_name/subpath/secret

[fe80]

Hi @duritong

I've complete the readme with more information about vault. It's better ?

I change the kv options with mount too.

Like say @IAmAStealer , vault can be offer lot of feature require for us (history, acl, native REST API...)

The idea about a default path can be a good, we thinking about this feature too and why not another feature with subpath options to additional the key name. I propose to open an issue about this feature an add on a different merge request ?

For us it's just a poc for this moment, we need to think about the data migration an we probably run to double trocla for puppet (use vault just for put data and test performance).

The kv v1 work but add a path data, example with trocla create 'my/path/key' plain

• v1

• v2

[duritong]

Ui, I absolutely forgot about this here.

@fe80 do you see anything left?

[fe80]

Sorry I don't have see your reply.

We are on testing migration actually and It's works correctly for this time

[duritong]

thank you to confirm, I'll merge and guess will release a 0.4.0 soon