Merge "Add support for specifying Vault KV path"

2023-02-17 12:23:38 +00:00 · 2023-02-17 12:23:38 +00:00 · 300c60ca97
parent bc6d87b969 370986e96e
commit 300c60ca97
2 changed files with 11 additions and 3 deletions
--- a/castellan/key_manager/vault_key_manager.py
+++ b/castellan/key_manager/vault_key_manager.py
@ -54,6 +54,9 @@ _vault_opts = [
               default=_DEFAULT_MOUNTPOINT,
               help='Mountpoint of KV store in Vault to use, for example: '
                    '{}'.format(_DEFAULT_MOUNTPOINT)),
+    cfg.StrOpt('kv_path',
+               help='Path relative to root of KV store in Vault to use.'
+               ),
    cfg.IntOpt('kv_version',
               default=_DEFAULT_VERSION,
               help='Version of KV store in Vault to use, for example: '
@ -101,6 +104,7 @@ class VaultKeyManager(key_manager.KeyManager):
        self._approle_token_ttl = None
        self._approle_token_issue = None
        self._kv_mountpoint = self._conf.vault.kv_mountpoint
+        self._kv_path = self._conf.vault.kv_path
        self._kv_version = self._conf.vault.kv_version
        self._vault_url = self._conf.vault.vault_url
        self._namespace = self._conf.vault.namespace
@ -115,14 +119,14 @@ class VaultKeyManager(key_manager.KeyManager):
        return self._vault_url

    def _get_resource_url(self, key_id=None):
-        return '{}v1/{}/{}{}'.format(
+        return '{}v1/{}/{}{}{}'.format(
            self._get_url(),
            self._kv_mountpoint,

            '' if self._kv_version == 1 else
            'data/' if key_id else
            'metadata/',  # no key_id is for listing and 'data/' doesn't works
-
+            (self._kv_path + '/') if self._kv_path else '',
            key_id if key_id else '?list=true')

    @property
--- a/castellan/options.py
+++ b/castellan/options.py
@ -39,7 +39,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
                 verify_ssl_path=None,
                 api_class=None, vault_root_token_id=None,
                 vault_approle_role_id=None, vault_approle_secret_id=None,
-                 vault_kv_mountpoint=None, vault_url=None,
+                 vault_kv_mountpoint=None, vault_kv_path=None, vault_url=None,
                 vault_ssl_ca_crt_file=None, vault_use_ssl=None,
                 vault_namespace=None,
                 barbican_endpoint_type=None,
@ -61,6 +61,7 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
    :param vault_approle_secret_id: Use this for the approle secret_id
                                    for vault.
    :param vault_kv_mountpoint: Mountpoint of KV store in vault to use.
+    :param vault_kv_path: Path relative to root of KV store in Vault to use.
    :param vault_url: Use this for the url for vault.
    :param vault_use_ssl: Use this to force vault driver to use ssl.
    :param vault_ssl_ca_crt_file: Use this for the CA file for vault.
@ -124,6 +125,9 @@ def set_defaults(conf, backend=None, barbican_endpoint=None,
        if vault_kv_mountpoint is not None:
            conf.set_default('kv_mountpoint', vault_kv_mountpoint,
                             group=vkm._VAULT_OPT_GROUP)
+        if vault_kv_path is not None:
+            conf.set_default('kv_path', vault_kv_path,
+                             group=vkm._VAULT_OPT_GROUP)
        if vault_url is not None:
            conf.set_default('vault_url', vault_url,
                             group=vkm._VAULT_OPT_GROUP)