mp911de
commented
1 year ago The v1 prefix is part of Vault server's API specification and is always required when working with a Vault server directly. Any proxying customizations require a bit of work, ideally through customizing PrefixAwareUriBuilderFactory.
I also recognize that is is easier to provide a VaultEndpoint object instead of subclassing and configuring PrefixAwareUriBuilderFactory. Would you like to come up with a pull request so we can discuss the actual changes that are necessary to make your change work?
CharlieReitzel
So, the default
VaultEndpoint.pathprefix,/v1, works fine for our Vault login. However, our secret path (actually, we have a few different ones) starts with something else. Let's say we have created a KV backend mounted at/kv-foo.VaultEndpointinsists on injecting/v1at the top of everything/anything I give it. Again, we want/v1for our login.The problem is that
VaultEndpointis too opinionated about Vault paths. It seems to me that it should keep silent on the paths and let the various operations own the path in its entirety. I tried to do this by settingendpoint.setPath("")andendpoint.setPath("/"). But no joy. These values are explicitly excluded.Any suggestions on how to work with custom KV paths?
Part of the problem is in
VaultClients.PrefixAwareUriBuilderFactory.uriString(String uriTemplate). Instead of delegating toVaultEndpoint.createUriString(String path), it re-implements the identical (flawed) logic inVaultClients.toBaseUri(VaultEndpoint). This prevents me from fixing it in a class derived fromVaultEndpoint. It's easy to create override a few methods because Spring Vault Core expects the application to provide it. I'm not seeing how to override any ofVaultClientsbehavior, since it appears to be an internal, implementation class.