search

petems / petems-hiera_vault

A hiera backend for access to secrets being stored in HashiCorp Vault
Apache License 2.0
44 stars 46 forks source link

Add comma based multi-pathing #69

Closed scoiatael closed 3 years ago

scoiatael commented 3 years ago

We've been using Vault at one of teams in Opera pretty extensively over the past couple of years.

There's one big change here: allowing for comma-delimited paths, since we are whitelisting multiple paths for each machine:

  - name: "Hiera-vault lookup"
    lookup_key: "hiera_vault"
    options:
      mounts:
        kv2:
          - "secret/data/puppet/%{trusted.extensions.pp_role}"
          - "secret/data/puppet/common"

(see spec/functions/hiera_vault_path_interpolation_spec.rb )

This PR is a result of recent rebase - let me know what you think.

I'll ensure this works for us in the meantime and remove draft status :)

petems commented 3 years ago

Looks good, happy to merge when it's ready!

Can you add a comma path to the docs as an example as well?

scoiatael commented 3 years ago

Verified this change on our production and it works nicely.

Sadly required couple of extra changes to avoid changing our secret layout in Vault.

Documentation updated :)

scoiatael commented 3 years ago

@petems ready when you are :)

petems commented 3 years ago

Aweesome, you even refactored the main logic whilst you were there, something I've been meaning to do for a while <3