Closed mp911de closed 3 years ago
It seems context paths are supported now. But I do have one problem with this. Example: vault has 2 sets of credential secrets.
/kafa/secrets/application
/secrets/cassandra/application
Both of the sets are username/password. So the following doesn't work since one of the two sets of secrets would overwrite the other.
spring:
config:
import: vault://kafka/secrets/application, vault://secrets/cassandra/application
kafka.username: ${username}
kafka.password: ${password}
cassandra.username: ${username}
cassandra.password: ${password}
Would it be possible to do something like this?
spring:
config:
import: vault://kafka/secrets/application, vault://secrets/cassandra/application
kafka.username: ${kafka.secrets.application.username}
kafka.password: ${kafka.secrets.application.password}
cassandra.username: ${secrets.cassandra.application.username}
cassandra.password: ${secrets.cassandra.application.password}
For now, we don't have a possibility to associate a PropertyTransformer
when importing individual mounts. Your example above uses a prefix derived from the mount path. Another variant would be to use a static prefix (e.g. vault://secrets/cassandra/application?prefix=cassandra
resulting in cassandra.username: ${cassandra.username}
).
In the context of Vault, only the context path makes sense for inclusion. Additional URL-like elements such as fragment or the query string cannot be applied for mounting so these could be candidates to pass on additional details. For versioned backends, one could also specify vault://secrets/cassandra/application?version=42
.
I think adding support for ?prefixWithPath=true
and ?prefix=customPrefix
would be nice.
I'd be interested in making a pull request for adding support to this, could you give me some pointers to get started?
For start, let's go for prefix=…
. You can start with VaultConfigDataLocationResolver
as VaultConfigLocation
(encapsulating SecretBackendMetadata
and PropertyTransformer
) are built there.
We should accept
vault:
andvault://
config locations as default config location that use enabled secret backend discovery. Additionally, we should acceptvault:///<context-path
(e.g.vault:///secret/my/app/key
) to allow mounting individual context paths without pulling the entire set of all property-enabled secret backends.It does not make sense to accept a hostname since Vault is session-oriented and a custom hostname would conflict with session management.