Enhance the programmatic access to the KV secret engine #184
Conversation
|
The I think that's the model to follow. |
|
@kdubb Yes it's a good idea I need a name for this engine, if you can help on finding a name for it it will be great for me, yes I agree it's better to define a new engine rather then overload the existing engine and method, notice that the other engine will always be of kind KV , what do you think about |
|
You don't need a new engine. You just need to allowing creating |
|
@kdubb I can get it now, I'll give it a try |
|
@kdubb I made some changes for the pull request now the Oliver loaded methods are still here, it may be a kind of shortcut, in the next tastemaker I'll remove it |
|
@kdubb I updated the pull request and I also rebased it please can you give it a check, Thanks in avance |
d114e53 to
40161bc
Compare
|
@bmscomp Not ignoring you or your contribution. I am swamped with current work and it's going to be a while before I can weigh in on this. |
|
@kdubb Thank you su much for the feedback |
| @@ -18,7 +18,8 @@ | |||
| @ApplicationScoped | |||
| public class VaultKVSecretEngine { | |||
|
|
|||
| private final VaultKVSecretReactiveEngine engine; | |||
| @Inject | |||
There was a problem hiding this comment.
Why this change? It was already using constructor injection into a final field?
There was a problem hiding this comment.
@kdubb I agree that constructor based injection is better , I will fix that
model/src/main/java/io/quarkus/vault/runtime/client/dto/kv/VaultKvSecretV2WriteBody.java
Show resolved
Hide resolved
|
|
||
| private Uni<Map<String, Object>> readValues(String mount, String path) { |
There was a problem hiding this comment.
Can't you name this readSecret as well? It has a mount path to handle the overload.
There was a problem hiding this comment.
@kdubb I just followed the existing naming for the private methods for reading and writing secrects or values
For example the existing private method private Uni<Void> writeValues(String mount, String path, Map<String, String> secret) that is used on another public method
| @@ -77,27 +111,30 @@ public Uni<Map<String, Object>> readSecretJson(String path) { | |||
| }); | |||
| } | |||
|
|
|||
| @Override | |||
| public Uni<Void> writeSecret(String path, Map<String, String> secret) { | |||
| private Uni<Void> writeValues(String mount, String path, Map<String, String> secret) { | |||
There was a problem hiding this comment.
writeSecret? No need to change all the names.
There was a problem hiding this comment.
writeSecret method did not change
@Override
public Uni<Void> writeSecret(String path, Map<String, String> secret) {
return writeValues(mount, path, secret);
}
It is just using the private method writeValues https://github.com/quarkiverse/quarkus-vault/pull/184/files#diff-6e7c8fa98f912471ec483ca0bc3ca258d768dd009f2f974f39c76065e6932e04R127
| @@ -107,16 +144,15 @@ public Uni<Void> deleteSecret(String path) { | |||
| }); | |||
| } | |||
|
|
|||
| private Uni<List<String>> listValues(String mount, String path) { | |||
There was a problem hiding this comment.
In VaultKvManager.java class when it comes to private methods that are used for reading writing and listing values of secrets we use the word Value for example :
private Uni<Void> deleteValues(String mount, String path) {
private Uni<Void> writeValues(String mount, String path, Map<String, String> secret) {
|
@kdubb I'll rebase the brach and solve conflicts and then take care of the comment's reviews by the end of day |
ac73ed4 to
bc6d3b1
Compare
|
@kdubb I updated the pull request, answered the questions, please can you take a look to this last update of the pull request |
|
@kdubb Thanks for your answer, I checked the great work done to bring up a new client to vault extension for Quarkus, and I think the content of this pull request still remains important as an evolution to the programmatic way to support multi without any breaking changes to the existing way to use a programatic way to get vault secrets, we can merge this pull request then after try to enhance the api with your implementation of vault client, since we still need in some cases something strongly coupled with Quarkus, this will also enrich the existing API, Please would you consider the updated review Thanks in advance |
|
@bmscomp The new client is still deeply integrated into Quarkus. It has the added ability to be run standalone without using Quarkus static configuration. Additionally, all of the apis that support a dynamic mount path (e.g., any "secret" api like kv) can be easily accessed. For example, to access a kv engine mounted at a specific path using the new client you would do this: @Inject VaultClient client; // Inject Quarkus configured client
Map<String, Object> getSomeSecret(String mount) {
return client.secrets().kv2(mount).read("something").getData();
}If you want a "preconfigured" mount you can create a CDI @Produces
VaultSecretsKV2 getSecretAPI(VaultClient client, @ConfigProperty("app.kv.mount") String mount) {
return client.secrets.kv2(mount);
}And use it like so: @Inject VaultSecretsKV2 kv2;
Map<String, Object> getSomeSecret() {
return kv2.read("something").getData();
}Given the advantages of the new client. The current thinking is to deprecate and remove the current "engines" because having and maintaining two separate implementations is a burden. Currently PR #215 re-implements the "engines" using the new client simply to allow using it in its current form and validate that the new client is solid and performing correctly. You are advocating for enhancing the current KV engine at the same time. This would keep users using the "old" system when we want them to be replacing it by using the new client approach. |
|
@bmscomp I understand that this new client PR undermines the work you've done in this PR, but it was all the work that you were required to do that inspired me to get to work on the new client. Transforming each engine into one that can be both statically configured and dynamically configured, as you now know, is quite a bit of work. Additionally, the CDI model is a bit complicated to ensure both a reactive and non-reactive api exists for everything. I wanted to get away from this model... quickly. It slows down development and introduces a maintenance headache in the long run. The new client solves all these problems and more, all the while making development, whether adding new APIs or maintaining old ones, easier. |
|
@kdubb Then would you merge your pull request |
|
Waiting for review. I've been in contact with @vsevelv and he's going to look at it early this week. |
|
@kdubb Can you please make public my answers to your reviews, at least other developers or reviews or developers can suggest more |
|
@bmscomp I have no idea what you're requesting. I believe everything in Quarkiverse projects is public (and we team members do not control the project settings, that's done by the Quarkus admins). |
|
@kdubb it is totally my mistake apologies, I just could not submit them I think, it is totally mist mistake, I was really on this case https://github.com/orgs/community/discussions/10369 Answers to your reviews are submited, sorry for delay |
|
Any news about this pull request ? |
|
I'm closing this now that dynamic mounts should use the client directly instead. |
The purpose of this pull request is to enhance the programmatic access to the KV secret engine, to give it the ability to access a multi mount KV secret engine, it comes that in some production environnement secrets are stored on different mounts for different domains, and this is not allowed in the current version of Quarkus vault extension, even when using the programatic way it comes always to retrieve the secrets only the configured mount set up in the properties file
In the current pull request we overloaded some methods to give the extension this ability, means if we have three mounts for example we can read from them programmatically even if we configured a default mount to read from