Fix vault validation (#1240)

Fixes # ## Proposed Changes * Fix tests for Vault after adding validation ## Docs and Tests * [ ] Tests added * [ ] Updated documentation
kapicorp · Sep 24, 2024 · a115bbb · a115bbb
1 parent 04772e3
commit a115bbb
Show file tree

Hide file tree

Showing 14 changed files with 584 additions and 552 deletions.
diff --git a/kapitan/inventory/model/references.py b/kapitan/inventory/model/references.py
@@ -1,6 +1,9 @@
-from typing import List, Optional
+from typing import List, Literal, Optional, Union
 
 from pydantic import BaseModel, ConfigDict
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+from kapitan.utils import StrEnum
 
 
 class KapitanReferenceBaseConfig(BaseModel):
@@ -11,13 +14,44 @@ class KapitanReferenceGPGConfig(KapitanReferenceBaseConfig):
  recipients: List[dict[str, str]] = []
 
 
-class KapitanReferenceVaultKVConfig(KapitanReferenceBaseConfig):
- auth: str
+class KapitanReferenceVaultEnv(BaseSettings):
+ model_config = SettingsConfigDict(
+ env_prefix="VAULT_",
+ )
+ addr: Optional[str] = None
+ skip_verify: Optional[bool] = True
+ client_key: Optional[str] = None
+ client_cert: Optional[str] = None
+ cacert: Optional[str] = None
+ capath: Optional[str] = None
+ namespace: Optional[str] = None
 
 
-class KapitanReferenceVaultTransitConfig(KapitanReferenceBaseConfig):
- key: str
- auth: str
+class VaultEngineTypes(StrEnum):
+ KV = "kv"
+ KV_V2 = "kv-v2"
+ TRANSIT = "transit"
+
+
+class KapitanReferenceVaultCommon(KapitanReferenceVaultEnv):
+ model_config = ConfigDict(use_enum_values=True)
+ engine: Optional[VaultEngineTypes] = None
+ auth: Optional[str] = None
+ crypto_key: Optional[str] = None
+ always_latest: Optional[bool] = False
+ mount: Optional[str] = None
+ key: Optional[str] = None
+
+
+class KapitanReferenceVaultKVConfig(KapitanReferenceVaultCommon):
+ engine: Literal[VaultEngineTypes.KV, VaultEngineTypes.KV_V2] = VaultEngineTypes.KV_V2
+ mount: Optional[str] = "secret"
+
+
+class KapitanReferenceVaultTransitConfig(KapitanReferenceVaultCommon):
+ engine: Literal[VaultEngineTypes.TRANSIT] = VaultEngineTypes.TRANSIT
+ key: Optional[str] = None
+ mount: Optional[str] = "transit"
 
 
 class KapitanReferenceAWKMSConfig(KapitanReferenceBaseConfig):

diff --git a/kapitan/refs/base.py b/kapitan/refs/base.py
@@ -26,13 +26,18 @@
 )
 from kapitan.refs import KapitanReferencesTypes
 from kapitan.refs.functions import eval_func, get_func_lookup
-from kapitan.utils import PrettyDumper, list_all_paths
+from kapitan.utils import PrettyDumper, StrEnum, list_all_paths
 
 try:
  from yaml import CSafeLoader as YamlLoader
 except ImportError:
  from yaml import SafeLoader as YamlLoader
 
+yaml.SafeDumper.add_multi_representer(
+ StrEnum,
+ yaml.representer.SafeRepresenter.represent_str,
+)
+
 logger = logging.getLogger(__name__)
 
 # e.g. ?{ref:my/secret/token} or ?{ref:my/secret/token||func:param1:param2}
@@ -455,19 +460,14 @@ def __init__(self, path, **kwargs):
  def register_backend(self, backend):
  "register backend type"
  assert isinstance(backend, PlainRefBackend)
- self.backends[backend.type_name] = backend
+ self.backends[str(backend.type_name)] = backend
 
  def _get_backend(self, type_name):
  "imports and registers backend according to type_name"
  try:
  return self.backends[type_name]
  except KeyError:
  ref_kwargs = {"embed_refs": self.embed_refs}
- logger.error(
- "RefController: registering backend for type %s for %s",
- type_name,
- KapitanReferencesTypes.PLAIN,
- )
  if type_name == KapitanReferencesTypes.PLAIN:
  from kapitan.refs.base import PlainRefBackend