Closed CharlieReitzel closed 1 year ago
The v1
prefix is part of Vault server's API specification and is always required when working with a Vault server directly. Any proxying customizations require a bit of work, ideally through customizing PrefixAwareUriBuilderFactory
.
I also recognize that is is easier to provide a VaultEndpoint
object instead of subclassing and configuring PrefixAwareUriBuilderFactory
. Would you like to come up with a pull request so we can discuss the actual changes that are necessary to make your change work?
Yes, this was PBCAK. I find the Vault api docs always a bit vague at the edges. The actual problem was that the X-Vault-Namespace
header was missing. I was able, finally, to inject it into the VaultTemplate
using a RestTemplateCustomizer
.
That said, the 1 line change I suggested would allow some flexibility to override the endpoint. It turned out to be unnecessary in my case.
So, the default
VaultEndpoint.path
prefix,/v1
, works fine for our Vault login. However, our secret path (actually, we have a few different ones) starts with something else. Let's say we have created a KV backend mounted at/kv-foo
.VaultEndpoint
insists on injecting/v1
at the top of everything/anything I give it. Again, we want/v1
for our login.The problem is that
VaultEndpoint
is too opinionated about Vault paths. It seems to me that it should keep silent on the paths and let the various operations own the path in its entirety. I tried to do this by settingendpoint.setPath("")
andendpoint.setPath("/")
. But no joy. These values are explicitly excluded.Any suggestions on how to work with custom KV paths?
Part of the problem is in
VaultClients.PrefixAwareUriBuilderFactory.uriString(String uriTemplate)
. Instead of delegating toVaultEndpoint.createUriString(String path)
, it re-implements the identical (flawed) logic inVaultClients.toBaseUri(VaultEndpoint)
. This prevents me from fixing it in a class derived fromVaultEndpoint
. It's easy to create override a few methods because Spring Vault Core expects the application to provide it. I'm not seeing how to override any ofVaultClients
behavior, since it appears to be an internal, implementation class.