Add write support for vaultkv secrets

kapitan/cli.py

@@ -493,6 +493,24 @@ def build_parser():
         default=from_dot_kapitan("refs", "vault-auth", ""),
         metavar="AUTH",
     )
+    refs_parser.add_argument(
+        "--vault-mount",
+        help="set mount point for vault secrets, default is 'secret'",
+        default=from_dot_kapitan("refs", "vault-mount", "secret"),
+        metavar="MOUNT",
+    )
+    refs_parser.add_argument(
+        "--vault-path",
+        help="set path for vault secrets where the secret gets stored on vault, default is the secret_path",
+        default=from_dot_kapitan("refs", "vault-path", ""),
+        metavar="PATH",
+    )
+    refs_parser.add_argument(
+        "--vault-key",
+        help="set key for vault secrets",
+        default=from_dot_kapitan("refs", "vault-key", ""),
+        metavar="KEY",
+    )
     refs_parser.add_argument(
         "--refs-path",
         help='set refs path, default is "./refs"',

kapitan/refs/base.py

@@ -598,13 +598,28 @@ def _get_from_token(self, token):
                             token, ref.token
                         )
                     )
+
+        # "type_name:path/to/ref:vault_mount:path/in/vault:key"
+        elif len(attrs) == 5:
+            type_name = attrs[0]
+            path_to_ref = attrs[1]
+            key = attrs[4]
+
+            if key is None:
+                raise RefError(f"{token} is not a valid token (key in vault is needed)")
+            else:
+                backend = self._get_backend(type_name)
+                ref = backend[path_to_ref]
+                return ref
         else:
             return None
 
     def _set_to_token(self, token, ref_obj):
         attrs = token.split(":")
 
-        if len(attrs) == 2:
+        # 2: default ref tag
+        # 5: used for writing(creating) secrets in vaultkv
+        if len(attrs) in (2, 5):
             type_name = attrs[0]
             path = attrs[1]
             backend = self._get_backend(type_name)
@@ -685,6 +700,9 @@ def __setitem__(self, key, value):
                 ctx.ref_controller = self
                 ctx.token = token
 
+                # pass the token as ref param
+                value.kwargs["token"] = token
+
                 self._eval_func_str(ctx, func_str)
                 ref_type = self.token_type(token)
 

kapitan/refs/cmd_parser.py

@@ -6,7 +6,7 @@
 import sys
 import mimetypes
 
-from kapitan.errors import KapitanError, RefHashMismatchError
+from kapitan.errors import KapitanError, RefHashMismatchError, RefError
 from kapitan.refs.base import PlainRef, RefController, Revealer
 from kapitan.refs.base64 import Base64Ref
 from kapitan.refs.env import EnvRef
@@ -220,7 +220,28 @@ def ref_write(args, ref_controller):
                 " in parameters.kapitan.secrets.vaultkv.auth and use --target-name or use --vault-auth"
             )
 
-        secret_obj = VaultSecret(_data, vault_params)
+        kwargs = {}
+
+        # set mount
+        mount = args.vault_mount
+        if not mount:
+            mount = vault_params.get("mount", "secret")  # secret is default mount point
+        kwargs["mount_in_vault"] = mount
+
+        # set path in vault
+        path_in_vault = args.vault_path
+        if not path_in_vault:
+            path_in_vault = token_path  # token path in kapitan as default
+        kwargs["path_in_vault"] = path_in_vault
+
+        # set key
+        key = args.vault_key
+        if key:
+            kwargs["key_in_vault"] = key
+        else:
+            raise RefError("Could not create VaultSecret: vaultkv: key is missing")
+
+        secret_obj = VaultSecret(_data, vault_params, **kwargs)
         tag = "?{{vaultkv:{}}}".format(token_path)
         ref_controller[tag] = secret_obj