From a94128e5756bd5d611a8208e31b0c1bddf00f2d4 Mon Sep 17 00:00:00 2001 From: Uwe Krueger Date: Thu, 2 Nov 2023 09:26:32 +0100 Subject: [PATCH] add secret engine to ID --- docs/reference/ocm_credential-handling.md | 2 ++ docs/reference/ocm_get_credentials.md | 1 + .../repositories/vault/identity/identity.go | 30 +++++++++++-------- .../repositories/vault/provider.go | 6 ++-- .../repositories/vault/repository.go | 2 +- 5 files changed, 26 insertions(+), 15 deletions(-) diff --git a/docs/reference/ocm_credential-handling.md b/docs/reference/ocm_credential-handling.md index 99e8fe85e3..a0e58ef395 100644 --- a/docs/reference/ocm_credential-handling.md +++ b/docs/reference/ocm_credential-handling.md @@ -128,6 +128,7 @@ The following credential consumer types are used/supported: - scheme: (optional) URL scheme - port: (optional) server port - namespace: vault namespace + - secretEngine: secret engine - pathprefix: path prefix for secret @@ -259,6 +260,7 @@ behaviours are described in the following list: - scheme: (optional) URL scheme - port: (optional) server port - namespace: vault namespace + - secretEngine: secret engine - pathprefix: path prefix for secret diff --git a/docs/reference/ocm_get_credentials.md b/docs/reference/ocm_get_credentials.md index 27483b343f..5512cc261d 100644 --- a/docs/reference/ocm_get_credentials.md +++ b/docs/reference/ocm_get_credentials.md @@ -53,6 +53,7 @@ Matchers exist for the following usage contexts or consumer types: - scheme: (optional) URL scheme - port: (optional) server port - namespace: vault namespace + - secretEngine: secret engine - pathprefix: path prefix for secret diff --git a/pkg/contexts/credentials/repositories/vault/identity/identity.go b/pkg/contexts/credentials/repositories/vault/identity/identity.go index 9d0518a5a0..79ba43d7eb 100644 --- a/pkg/contexts/credentials/repositories/vault/identity/identity.go +++ b/pkg/contexts/credentials/repositories/vault/identity/identity.go @@ -7,7 +7,6 @@ package identity import ( "net" "net/url" - "path" "strings" "github.com/open-component-model/ocm/pkg/contexts/credentials/cpi" @@ -20,11 +19,12 @@ const CONSUMER_TYPE = "HashiCorpVault" // identity properties. const ( - ID_HOSTNAME = hostpath.ID_HOSTNAME - ID_SCHEMA = hostpath.ID_SCHEME - ID_PORT = hostpath.ID_PORT - ID_PATHPREFIX = hostpath.ID_PATHPREFIX - ID_NAMESPACE = "namespace" + ID_HOSTNAME = hostpath.ID_HOSTNAME + ID_SCHEMA = hostpath.ID_SCHEME + ID_PORT = hostpath.ID_PORT + ID_PATHPREFIX = hostpath.ID_PATHPREFIX + ID_SECRETENGINE = "secretEngine" + ID_NAMESPACE = "namespace" ) // credential properties. @@ -46,6 +46,9 @@ func IdentityMatcher(request, cur, id cpi.ConsumerIdentity) bool { if id[ID_NAMESPACE] != request[ID_NAMESPACE] { return false } + if id[ID_SECRETENGINE] != "" && id[ID_SECRETENGINE] != request[ID_SECRETENGINE] { + return false + } return identityMatcher(request, cur, id) } @@ -62,6 +65,7 @@ func init() { ID_SCHEMA, "(optional) URL scheme", ID_PORT, "(optional) server port", ID_NAMESPACE, "vault namespace", + ID_SECRETENGINE, "secret engine", ID_PATHPREFIX, "path prefix for secret", }) cpi.RegisterStandardIdentity(CONSUMER_TYPE, identityMatcher, @@ -75,7 +79,7 @@ The only supported auth methods, so far, are token and approl `) } -func GetConsumerId(serverurl string, namespace string, secretpath ...string) (cpi.ConsumerIdentity, error) { +func GetConsumerId(serverurl string, namespace string, secretengine string, secretpath string) (cpi.ConsumerIdentity, error) { if serverurl == "" { return nil, errors.Newf("server address must be given") } @@ -105,16 +109,18 @@ func GetConsumerId(serverurl string, namespace string, secretpath ...string) (cp if namespace != "" { id[ID_NAMESPACE] = namespace } + if secretengine != "" { + id[ID_SECRETENGINE] = secretengine + } - p := path.Join(secretpath...) - if p != "" { - id[ID_PATHPREFIX] = p + if secretpath != "" { + id[ID_PATHPREFIX] = secretpath } return id, nil } -func GetCredentials(ctx cpi.ContextProvider, serverurl, namespace string, secretpath ...string) (cpi.Credentials, error) { - id, err := GetConsumerId(serverurl, namespace, secretpath...) +func GetCredentials(ctx cpi.ContextProvider, serverurl, namespace string, secretengine, secretpath string) (cpi.Credentials, error) { + id, err := GetConsumerId(serverurl, namespace, secretengine, secretpath) if err != nil { return nil, err } diff --git a/pkg/contexts/credentials/repositories/vault/provider.go b/pkg/contexts/credentials/repositories/vault/provider.go index 7782fec78e..1d8c9fb4ec 100644 --- a/pkg/contexts/credentials/repositories/vault/provider.go +++ b/pkg/contexts/credentials/repositories/vault/provider.go @@ -100,11 +100,14 @@ func (p *ConsumerProvider) update() error { if err := client.SetToken(token); err != nil { return err } + if err := client.SetNamespace(p.repository.spec.Namespace); err != nil { + return err + } + // TODO: support for pure path based access for other secret engine types secrets := slices.Clone(p.repository.spec.Secrets) if len(secrets) == 0 { s, err := client.Secrets.KvV2List(ctx, p.repository.spec.Path, - vault.WithNamespace(p.repository.spec.Namespace), vault.WithMountPath(p.repository.spec.SecretsEngine)) if err != nil { return err @@ -175,7 +178,6 @@ func (p *ConsumerProvider) read(ctx context.Context, client *vault.Client, secre secret = path.Join(p.repository.spec.Path, secret) s, err := client.Secrets.KvV2Read(ctx, secret, - vault.WithNamespace(p.repository.spec.Namespace), vault.WithMountPath(p.repository.spec.SecretsEngine)) if err != nil { return nil, nil, nil, err diff --git a/pkg/contexts/credentials/repositories/vault/repository.go b/pkg/contexts/credentials/repositories/vault/repository.go index f5c8167625..c09ed75bde 100644 --- a/pkg/contexts/credentials/repositories/vault/repository.go +++ b/pkg/contexts/credentials/repositories/vault/repository.go @@ -24,7 +24,7 @@ var ( ) func NewRepository(ctx cpi.Context, spec *RepositorySpec) (*Repository, error) { - id, err := identity.GetConsumerId(spec.ServerURL, spec.Namespace, spec.Path) + id, err := identity.GetConsumerId(spec.ServerURL, spec.Namespace, spec.SecretsEngine, spec.Path) if err != nil { return nil, err }