Skip to content

Rename KV Secret path to mount, and split secret key into path and name#34

Draft
pdecat wants to merge 2 commits intotheapsgroup:mainfrom
pdecat:query-kv-subsets
Draft

Rename KV Secret path to mount, and split secret key into path and name#34
pdecat wants to merge 2 commits intotheapsgroup:mainfrom
pdecat:query-kv-subsets

Conversation

@pdecat
Copy link

@pdecat pdecat commented Jan 21, 2023
edited
Loading

This PR renames path to mount, and splits the secret's key into path and name.

This allows to query only some paths without loading all KV secrets from all mounts (which can be quite expensive with large Vault instances).

Sample query with this new model:

> select * from vault_kv_secret where mount = 'mymount/' and path = 'my/secret/path/' and name not like 'pattern%'

Marked as draft because:

  • these changes are quite intrusive, so this is essentially to open a discussion of what would be acceptable for you and what wouldn't.
  • documentation needs to be updated accordingly.
  • parallelism was commented out to ease development.
  • lots of debug statements were added, some of them probably can be removed.

@pdecat
Rename path to mount, and split secret key into path and name. This a…
45d072c 
…llows to query only some paths without loading all KV secrets from all mounts.
@pdecat pdecat changed the title Rename path to mount, and split secret key into path and name Rename KV Secret path to mount, and split secret key into path and name Jan 21, 2023
pdecat
pdecat commented Jan 21, 2023
View reviewed changes
vault/table_kv_secret.go
logger.Debug("vault_kv_secret: listKvSecrets", "k", fmt.Sprintf("%#v", k))
// time.Sleep(time.Second)

if k.Name == "" || strings.HasSuffix(k.Name, "/") {
Copy link
Author

@pdecat pdecat Jan 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name can be empty only on first invocation.

@graza-io graza-io added the enhancement New feature or request label Jan 21, 2023
pdecat
pdecat commented Jan 22, 2023
View reviewed changes
vault/table_kv_secret.go Outdated
Copy link
Author

@pdecat pdecat Jan 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that this currently prevents selecting secrets recursively.
Previously, one could use like in his queries e.g.:

select key
from vault_kv_secret
where path = 'secret/'
    and key like 'my/secret/path/%'
order by key;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pdecat @graza-io

Comments