What do I want to achieve?
Be able to create an AuthEngineMount CR that mounts an auth engine exactly at /auth/<spec.path> (e.g. /auth/kubernetes_test), without the additional /<metadata.name> suffix.
What is the problem I have?
Right now, the operator always generates the final mount path as:
|
func (d *AuthEngineMount) GetPath() string { |
|
if d.Spec.Name != "" { |
|
return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Spec.Name) |
|
} |
|
return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Name) |
|
} |
This makes it impossible to manage an auth mount at /auth/kubernetes, because it will always end up as /auth/kubernetes/.
The issue for us is that our internal automation expects the auth method to be mounted exactly at /auth/<spec.path> (e.g. /auth/kubernetes_test). It fails if the operator appends an extra segment.
Feature request
Please extend AuthEngineMount so that it can generate the final path without the / suffix.
Introduce a new optional field in AuthEngineMountSpec and similar resources:
spec:
path: kubernetes_path
type: kubernetes
flatMountName: true
- When flatMountName: false (default), keep the current behavior: /auth//.
- When flatMountName: true, mount directly at /auth/.
This is backward-compatible and makes the behavior explicit for users.
Can I implement it?
Yes I can prepare a PR for this.
I understand that the change should not only cover AuthEngineMount, but also all the specific auth engine resource types supported by the operator (for example KubernetesAuthEngineConfig, KubernetesAuthEngineRole, and others), because they all rely on the mount path.
Concretely, the work would include:
- Adding flatMount: bool to the CRD specs where applicable.
- Updating GetPath() logic in AuthEngineMount
- Updating CRD docs and operator documentation.
- Providing example CRs with flatMount: true.
Example implementation
A possible implementation of the updated path logic in AuthEngineMount could look like this:
func (d *AuthEngineMount) GetPath() string {
if d.Spec.Name != "" {
return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Spec.Name)
}
if d.Spec.FlatMount {
return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path))
}
return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Name)
}
Please take a look @sabre1041 @raffaelespazzoli
What do I want to achieve?
Be able to create an AuthEngineMount CR that mounts an auth engine exactly at /auth/<spec.path> (e.g. /auth/kubernetes_test), without the additional /<metadata.name> suffix.
What is the problem I have?
Right now, the operator always generates the final mount path as:
vault-config-operator/api/v1alpha1/authenginemount_types.go
Lines 60 to 65 in 48dc775
This makes it impossible to manage an auth mount at /auth/kubernetes, because it will always end up as /auth/kubernetes/.
The issue for us is that our internal automation expects the auth method to be mounted exactly at /auth/<spec.path> (e.g. /auth/kubernetes_test). It fails if the operator appends an extra segment.
Feature request
Please extend AuthEngineMount so that it can generate the final path without the / suffix.
Introduce a new optional field in AuthEngineMountSpec and similar resources:
This is backward-compatible and makes the behavior explicit for users.
Can I implement it?
Yes I can prepare a PR for this.
I understand that the change should not only cover AuthEngineMount, but also all the specific auth engine resource types supported by the operator (for example KubernetesAuthEngineConfig, KubernetesAuthEngineRole, and others), because they all rely on the mount path.
Concretely, the work would include:
Example implementation
A possible implementation of the updated path logic in AuthEngineMount could look like this:
Please take a look @sabre1041 @raffaelespazzoli