Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow legacy VaultKV configuration keys in kapitan.secrets.vaultkv #1249

Merged
merged 5 commits into from
Oct 17, 2024
Merged

Allow legacy VaultKV configuration keys in kapitan.secrets.vaultkv #1249

merged 5 commits into from
Oct 17, 2024

Conversation

simu
Copy link
Contributor

@simu simu commented Oct 17, 2024
edited
Loading

Proposed Changes

  • Add validation aliases which allow the old envvar style configuration for the VaultKV references backend config through the inventory
  • Update the vaultkv documentation to note that the envvar style configs in the inventory are deprecated.

TODO

  • Document limitation regarding duplicated configs through different field aliases. Due to some implementation details in pydantic-settings, having e.g. the Vault address set both through environment variable VAULT_ADDR and initializer field addr will cause a validation error unless extra is set to ignore or allow neither of which have the desired effect of protecting users against config errors in the inventory.

Docs and Tests

  • Tests added
  • Updated documentation

@simu
Add pydantic validation aliases for the envvar style Vault KV invento…
0d2e80d 
…ry config fields

This ensures that existing Kapitan inventories which configure the
VaultKV refs backend through the inventory (`kapitan.secrets.vaultkv`)
using the currently documented approach (see
https://kapitan.dev/latest/references/?h=vaultkv#vaultkv) which uses
envvar style keys to configure some Vault connection details.

Note that with the explicit aliases, the `env_prefix` setting has no
effect, so we remove it.
@simu simu force-pushed the legacy-vaultkv-config-validation branch 2 times, most recently from 824a9c0 to 77af251 Compare October 17, 2024 17:54
@simu
Copy link
Contributor Author

simu commented Oct 17, 2024

Behavior which causes the validation error when providing VAULT_ADDR in the environment while addr is set in the refs file is documented in pydantic/pydantic-settings#245

@simu
Update documentation for VaultKV references backend configuration
016eaf8
@simu
Update poetry.lock
80fb3dc
@simu
Add tests for various options to configure vaultkv references
3c98674
@simu
Adjust test case for kapitan refs --reveal to not set VAULT_ADDR en…
99ebe2b 
…vvar

Setting `VAULT_ADDR` for `kapitan refs --reveal` for a VaultKV secret
causes a validation error due to the way we implement support for legacy
envvar style vaultkv configurations in the inventory.
@simu simu force-pushed the legacy-vaultkv-config-validation branch from 77af251 to 99ebe2b Compare October 17, 2024 17:57
@simu simu marked this pull request as ready for review October 17, 2024 17:57
@ademariag ademariag self-requested a review October 17, 2024 20:08
@ademariag ademariag merged commit 05aef32 into kapicorp:master Oct 17, 2024
9 checks passed
@simu simu deleted the legacy-vaultkv-config-validation branch October 18, 2024 06:45
@simu simu mentioned this pull request Nov 1, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ademariag ademariag ademariag approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simu @ademariag