Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed by this PR
Closing #8712 in favor of this approach. Copying the bulk of the description here because the intent is the same.
Support for Vault kv2 was added in #6115. That supports both kv1 and kv2, but as mentioned in the docs, only a single prefix path is supported:
This PR enables multiple prefix paths and then does the lookup of the secrets in each, for each path template configured.
The idea in our org is to enable a smooth transition of teams from kv1 -> kv2. Without this we'd need to do a big bang release of ensuring all teams have migrated their secrets to the new engine, then update the Concourse config to point at kv2. Instead with this change we can support both, and let someone else herd the cats. 馃檪
Note this would potentially double the number of API calls to Vault. I don't see that's a reason to not do it, but something to call out in the docs at a minimum.
Notes to reviewer
Believe the approach in #8712 isn't viable due to
var_sources
. Instead trying the creation of a separate--path-prefixes
config option. I tested locally with the following config:Quick example of local testing:
Where
kv2-test
secret only exists in the kv2 path, andkv1-test
secret only exists in the kv1 path. This results inHello world! Hello from kv2! Hello from kv1!
Release Note