Merge pull request #103 from projectsyn/vault-secret-engine-path

Make Vault secret engine path configurable

.yamllint.yml

@@ -5,3 +5,6 @@ rules:
   line-length:
     max: 80
     level: warning
+
+ignore: |
+  /deploy/crds/*_crd.yaml

CHANGELOG.md

@@ -4,11 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [v0.2.1] - 2020-09-10
 ### Changed
 
 - Apply the default Syn project meta files ([#90])
 - Replaced playbook.yml with custom command ([#100])
+- Make Vault secret engine path configurable ([#103])
 
 ## [v0.2.0] - 2020-07-23
 ### Added
@@ -83,10 +84,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [v0.1.4]: https://github.com/projectsyn/lieutenant-operator/releases/tag/v0.1.4
 [v0.1.5]: https://github.com/projectsyn/lieutenant-operator/releases/tag/v0.1.5
 [v0.2.0]: https://github.com/projectsyn/lieutenant-operator/releases/tag/v0.2.0
+[v0.2.1]: https://github.com/projectsyn/lieutenant-operator/releases/tag/v0.2.1
+
 [#62]: https://github.com/projectsyn/lieutenant-operator/pull/62
 [#71]: https://github.com/projectsyn/lieutenant-operator/pull/71
 [#76]: https://github.com/projectsyn/lieutenant-operator/pull/76
 [#84]: https://github.com/projectsyn/lieutenant-operator/pull/84
 [#85]: https://github.com/projectsyn/lieutenant-operator/pull/85
 [#88]: https://github.com/projectsyn/lieutenant-operator/pull/88
 [#90]: https://github.com/projectsyn/lieutenant-operator/pull/90
+[#100]: https://github.com/projectsyn/lieutenant-operator/pull/100
+[#103]: https://github.com/projectsyn/lieutenant-operator/pull/103

docs/modules/ROOT/pages/references/configuration.adoc

@@ -17,6 +17,10 @@ Lieutenant Operator is configured via environment variables:
 |Sets the Vault token to be used, only recommended for testing. In production the https://www.vaultproject.io/docs/auth/kubernetes[K8s authentication] should be used by omitting the setting.
 |
 
+|VAULT_SECRET_ENGINE_PATH
+|Configures the mount path of the KV secret engine to be used.
+|`kv`
+
 |SKIP_VAULT_SETUP
 |Doesn't create any Vault secrets. Recommended for testing only.
 |false

pkg/vault/client.go

@@ -78,9 +78,14 @@ func newBankVaultClient(deletionPolicy synv1alpha1.DeletionPolicy, log logr.Logg
 		client.RawClient().SetToken(os.Getenv(api.EnvVaultToken))
 	}
 
+	secretEngine := os.Getenv("VAULT_SECRET_ENGINE_PATH")
+	if secretEngine == "" {
+		secretEngine = "kv"
+	}
+
 	return &BankVaultClient{
 		client:         client,
-		secretEngine:   "kv",
+		secretEngine:   secretEngine,
 		deletionPolicy: deletionPolicy,
 		log:            log,
 	}, nil

pkg/vault/client_test.go

@@ -85,6 +85,7 @@ func TestBankVaultClient_AddSecrets(t *testing.T) {
 	}
 	tests := []struct {
 		name       string
+		mountPath  string
 		args       args
 		wantErr    bool
 		statusCode int
@@ -112,6 +113,29 @@ func TestBankVaultClient_AddSecrets(t *testing.T) {
 			  }`,
 			statusCode: 200,
 		},
+		{
+			name:      "test different path",
+			mountPath: "clusters/kv",
+			args: args{
+				secrets: []VaultSecret{{Path: "some/test", Value: ""}},
+				token:   "test",
+				log:     zap.Logger(),
+			},
+			body: `{
+				"data": {
+				  "data": {
+					"foo": "bar"
+				  },
+				  "metadata": {
+					"created_time": "2018-03-22T02:24:06.945319214Z",
+					"deletion_time": "",
+					"destroyed": false,
+					"version": 2
+				  }
+				}
+			  }`,
+			statusCode: 200,
+		},
 		{
 			name:       "test error",
 			wantErr:    true,
@@ -131,6 +155,7 @@ func TestBankVaultClient_AddSecrets(t *testing.T) {
 
 			os.Setenv(api.EnvVaultToken, "myroot")
 			os.Setenv(api.EnvVaultAddress, server.URL)
+			os.Setenv("VAULT_SECRET_ENGINE_PATH", tt.mountPath)
 
 			defer server.Close()