Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consistent consul secrets parameter names #15400

Merged
merged 10 commits into from
May 19, 2022
Merged

Consistent consul secrets parameter names #15400

merged 10 commits into from
May 19, 2022

Conversation

robmonte
Copy link
Member

@robmonte robmonte commented May 12, 2022
edited
Loading

Description

With the Consul secrets engine improvements, several new parameters were added. Roles for example, but since Vault uses the term roles already, the parameter was named consul_roles. Similarly, the parameter for Consul namespaces was named consul_namespace. For example:

$ vault write consul/roles/my-role consul_roles="role1"
and
$ vault write -namespace="ns1" consul/roles/my-role consul_namespace="ns2"

This has created an inconsistent naming convention for the parameters. A counterexample to the above is policies, as both Consul and Vault use them, yet the parameter is simply named policies without the "consul_" prefix:
$ vault write consul/roles/my-role policies="global-management"

Solution

We could consider renaming the parameters to be consistent, and if so decide which parameters would get renamed.
This draft PR changes most of the remaining parameters for configuring Vault roles to use with Consul. They are listed below:

  • local -> consul_local
  • policies -> consul_policies
  • partition -> consul_partition
  • ttl -> consul_ttl
  • max_ttl -> consul_max_ttl
  • service_identities -> consul_service_identities
  • node_identities -> consul_node_identities

As you can see, some of these become particularly long-winded which may not be good UX:
$ vault write consul/roles/my-role consul_local=true consul_ttl=1h consul_max_ttl=2h consul_service_identities="myserv-1:dc1"

Perhaps only a subset of these could be changed yet still make it feel more consistent?

@robmonte
Copy link
Member Author

robmonte commented May 13, 2022
edited
Loading

After taking more time to consider the UX with these changes yesterday, I am backtracking on which parameters could be changed to feel "consistent". I also made a mistake with TTL.

  • TTL fields are Vault token TTLs, not Consul fields. This definitely shouldn't be changed.
  • The local field changes if Consul SecretIDs are replicated or not. While Vault has a local field, it applies to the secret engine itself and cannot be applied to individual roles or tokens, so I don't consider this conflicting.
  • Node and service identity is unique enough so using the "consul_" prefix is superfluous.
  • The isolation provided by Consul admin partitions is already provided by Vault namespaces, so Vault is unlikely to adopt the terminology in the future.

 

The current changes in the PR now are:

  • A new parameter called consul_policies that is a clone of policies.
  • The policies parameter's description states to use consul_policies instead. Should this have a deprecated tag?
  • The policy parameter and token_type parameter have Deprecated: true added.
  • Removed the "lease" field from the role read response because it is duplicate data and deprecated.

With this implementation, Vault will accept Consul policies via either name policies or consul_policies by passing any values given from the first one into the second.

@robmonte robmonte marked this pull request as ready for review May 16, 2022 16:45
@robmonte robmonte requested a review from a team May 16, 2022 16:45
austingebauer
austingebauer reviewed May 16, 2022
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good! I agree with your assessment of the various fields in the comment. Left a few small suggestions.

builtin/logical/consul/path_roles.go Outdated Show resolved Hide resolved
builtin/logical/consul/path_roles.go Show resolved Hide resolved
builtin/logical/consul/path_roles.go Show resolved Hide resolved
builtin/logical/consul/path_roles.go Outdated Show resolved Hide resolved
fairclothjm
fairclothjm reviewed May 17, 2022
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Looking good! Should we add some unit tests to cover the new fields?

@robmonte robmonte merged commit 850100c into main May 19, 2022
@robmonte robmonte deleted the consistent-consul-secrets-parameter-names branch May 19, 2022 19:44
@robmonte robmonte added this to the 1.11.0-rc1 milestone May 20, 2022
Gabrielopesantos pushed a commit to Gabrielopesantos/vault that referenced this pull request Jun 6, 2022
@robmonte @Gabrielopesantos
secrets/consul: Use consistent parameter names (hashicorp#15400)
d75e0ba 
* Add "consul_policies" parameter and deprecate "policies" parameter

* Update tests and remove superfluous log statements
@optiz0r optiz0r mentioned this pull request Jul 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@austingebauer austingebauer austingebauer left review comments

@fairclothjm fairclothjm fairclothjm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.11.0-rc1
Development

Successfully merging this pull request may close these issues.
3 participants
@robmonte @fairclothjm @austingebauer