-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically (Optionally?) Automatically Detect the Appropriate KV Secrets Engine Version #383
Comments
So my main concern on this topic is centered around the need to perform an additional API request at some point to detect the version. It may not be a large concern, but it is the one sticking point that has prevented me from attempting an implementation. We could keep a cache of a map of KV mount paths to engine versions, but that has its own complexity concerns. E.g., if we detect that Overall, those issues seems entirely surmountable, I'm just sharing some background about why it hasn't been implemented quite yet. For what it is worth, I had cause to look at this sort of KV version detection myself when working through implementing doctest for this codebase. I tentatively ended up with an arrangement along these lines: class Mount(SystemBackendMixin):
# [...]
def retrieve_mount_option(self, mount_point, option_name, default_value=None):
"""Retrieve a specific option for the secrets engine mounted under the path specified.
If no matching option (or no options at all) are discovered, a default value is returned.
:param mount_point: The path the relevant secrets engine is mounted under.
:type mount_point: str
:param option_name: Specifies the name of the option to be retrieved.
:type option_name: str
:param default_value: The value returned if no matching option (or no options at all) are discovered.
:type default_value: Any
:return: The value for the specified secrets engine's named option.
:rtype: Any
"""
secrets_engine_path = '{mount_point}/'.format(mount_point=mount_point)
secrets_engines_list = self.list_mounted_secrets_engines()
mount_options = secrets_engines_list[secrets_engine_path].get('options')
if mount_options is None:
return default_value
return mount_options.get(option_name, default_value) KV Secrets Engine - Version 1
"""""""""""""""""""""""""""""
Current usage:
.. doctest::
:skipif: client.sys.retrieve_mount_option('secret', 'version', 1) != 1
>>> client.write('secret/foo', baz='bar', lease='1h')
>>> read_response = client.read('secret/foo')
>>> print('Value under path "secret/foo" / key "baz": {val}'.format(
... val=read_response['data']['baz'],
... ))
Value under path "secret/foo" / key "baz": bar
>>> client.delete('secret/foo') Which isn't exactly related to the topic being discussed, but seemed relevant enough to include here... |
I went with https://github.com/hashicorp/vault/blob/master/command/kv_helpers.go#L92 in the end instead of reimplementing the wheel with |
Interesting! So for your purposes, are you invoking vault cli directly to determine the KV version or did you use the upstream code as a guide to implement something similar in Python? |
Hey, I've just ported the code to python. Invoking the cli directly would be quite silly solution. :-) With In terms of caching and runtime detection of KV version, I personally gave up and just detected it on initialization. It can definitely be achievable, but I'm not sure if it's worth the struggle as the upgrade itself could take a long time which would in my case mean downtime.
https://www.vaultproject.io/docs/secrets/kv/kv-v2.html#upgrading-from-version-1 |
you can use the a kv1 path can either have type The official vault go client uses the same endpoint to do so, though it is probably considered an non-public api. |
Some code example I have been using for autodetection so it works the same way as
|
Spinning off this issue from: #183
In that issue's comments regarding the implementation of KV v2 hvac support, I made a note along the lines of:
In a subsequent comment, @janmasarik provided some additional input:
The text was updated successfully, but these errors were encountered: