-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vault-autounseal
interface
#141
base: main
Are you sure you want to change the base?
Conversation
d49a9a8
to
ee40998
Compare
ee40998
to
d6f1e18
Compare
|
||
## Limitations | ||
|
||
In this iteration, many data points (mount path, key name) are implied, and not configurable. This is likely to change in future versions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand why they may not be configurable but should the mount path not be written in the relation data so that the requirer knows it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I agree. It wasn't in the spec so I left that as a future improvement. But, if there's no discussion needed (i.e. you agree 😆 ) then it's easy to make that change here and in the implementation code.
That would remove some FIXME
comments from the implementation too, which would be nice.
jWpoal3C6/rrAL1auX0vhoOXZ3J3nYoypSYL1SgiKn8hHGLAq/FulOWTxHok7CLy | ||
4ZT7j4CUoxXdfuAZxQ+cnCyPkpL96y9XsDiescRInOkVAmw= | ||
-----END CERTIFICATE----- | ||
credentials_secret_id: secret://575cd150-f7c2-4710-88a3-3f33e14e867c/copsdgnmp25c77tkgke0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably explicitly state the various keys expected to be in this secret
"description": "The address of the Vault server to connect to.", | ||
"type": "string" | ||
}, | ||
"token_secret_id": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we call it token_secret_id
but in the example in the readme we call it credentials_secret_id
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file was leftover from before the re-spec. It was a generated file so I didn't even notice it. Will remove.
Thanks for catching this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we have both docs/json_schemas/vault_autounseal/v0/provider.json
and docs/json_schemas/vault_transit/v0/provider.json
files?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, artifact of renaming the relation. Will remove. Good catch.
Creation of a new interface,
vault-autounseal
, for making use of the Vaulttransit
engine to autounseal another vault.