Refine vault: config location

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault

http://cloud.spring.io/spring-cloud-vault/

Apache License 2.0

273 stars 152 forks source link

Refine vault: config location #488

Closed mp911de closed 3 years ago

mp911de commented 3 years ago

We should accept vault: and vault:// config locations as default config location that use enabled secret backend discovery. Additionally, we should accept vault:///<context-path (e.g. vault:///secret/my/app/key) to allow mounting individual context paths without pulling the entire set of all property-enabled secret backends.

It does not make sense to accept a hostname since Vault is session-oriented and a custom hostname would conflict with session management.

acemoo commented 3 years ago

It seems context paths are supported now. But I do have one problem with this. Example: vault has 2 sets of credential secrets.

/kafa/secrets/application
/secrets/cassandra/application

Both of the sets are username/password. So the following doesn't work since one of the two sets of secrets would overwrite the other.

spring:
  config:
    import: vault://kafka/secrets/application, vault://secrets/cassandra/application
kafka.username: ${username}
kafka.password: ${password}
cassandra.username: ${username}
cassandra.password: ${password}

Would it be possible to do something like this?

spring:
  config:
    import: vault://kafka/secrets/application, vault://secrets/cassandra/application
kafka.username: ${kafka.secrets.application.username}
kafka.password: ${kafka.secrets.application.password}
cassandra.username: ${secrets.cassandra.application.username}
cassandra.password: ${secrets.cassandra.application.password}

mp911de commented 3 years ago

For now, we don't have a possibility to associate a PropertyTransformer when importing individual mounts. Your example above uses a prefix derived from the mount path. Another variant would be to use a static prefix (e.g. vault://secrets/cassandra/application?prefix=cassandra resulting in cassandra.username: ${cassandra.username}).

In the context of Vault, only the context path makes sense for inclusion. Additional URL-like elements such as fragment or the query string cannot be applied for mounting so these could be candidates to pass on additional details. For versioned backends, one could also specify vault://secrets/cassandra/application?version=42.

acemoo commented 3 years ago

I think adding support for ?prefixWithPath=true and ?prefix=customPrefix would be nice. I'd be interested in making a pull request for adding support to this, could you give me some pointers to get started?

mp911de commented 3 years ago

For start, let's go for prefix=…. You can start with VaultConfigDataLocationResolver as VaultConfigLocation (encapsulating SecretBackendMetadata and PropertyTransformer) are built there.