Skip to content

Rename KV Secret path to mount, and split secret key into path and name#34

Draft
pdecat wants to merge 2 commits intotheapsgroup:mainfrom
pdecat:query-kv-subsets
Draft

Rename KV Secret path to mount, and split secret key into path and name#34
pdecat wants to merge 2 commits intotheapsgroup:mainfrom
pdecat:query-kv-subsets

Conversation

@pdecat
Copy link

@pdecat pdecat commented Jan 21, 2023

This PR renames path to mount, and splits the secret's key into path and name.

This allows to query only some paths without loading all KV secrets from all mounts (which can be quite expensive with large Vault instances).

Sample query with this new model:

> select * from vault_kv_secret where mount = 'mymount/' and path = 'my/secret/path/' and name not like 'pattern%'

Marked as draft because:

  • these changes are quite intrusive, so this is essentially to open a discussion of what would be acceptable for you and what wouldn't.
  • documentation needs to be updated accordingly.
  • parallelism was commented out to ease development.
  • lots of debug statements were added, some of them probably can be removed.

…llows to query only some paths without loading all KV secrets from all mounts.
@pdecat pdecat changed the title Rename path to mount, and split secret key into path and name Rename KV Secret path to mount, and split secret key into path and name Jan 21, 2023
logger.Debug("vault_kv_secret: listKvSecrets", "k", fmt.Sprintf("%#v", k))
// time.Sleep(time.Second)

if k.Name == "" || strings.HasSuffix(k.Name, "/") {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name can be empty only on first invocation.

@graza-io graza-io added the enhancement New feature or request label Jan 21, 2023
Copy link
Author

@pdecat pdecat Jan 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that this currently prevents selecting secrets recursively.
Previously, one could use like in his queries e.g.:

select key
from vault_kv_secret
where path = 'secret/'
    and key like 'my/secret/path/%'
order by key;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments