Make Vault Secret auth method path configurable

Currently Vault Secrets are using partially hardcoded configuration for the authentication method. While the Vault server URL and the role name for JWT authentication method can be configured with the variables, the authentication method path is hardoced to `jwt`. This may limit the usability of our solution. This change makes this value configurable with the `VAULT_AUTH_PATH` variable (similar to how `VAULT_SERVER_URL` and `VAULT_AUTH_ROLE` are being used already) and ensures that in case when the variable is not defined by the user, it will fall-back to the `jwt` value that we have hardcoded now.

Make Vault Secret auth method path configurable
Currently Vault Secrets are using partially hardcoded configuration for the authentication method. While the Vault server URL and the role name for JWT authentication method can be configured with the variables, the authentication method path is hardoced to `jwt`. This may limit the usability of our solution. This change makes this value configurable with the `VAULT_AUTH_PATH` variable (similar to how `VAULT_SERVER_URL` and `VAULT_AUTH_ROLE` are being used already) and ensures that in case when the variable is not defined by the user, it will fall-back to the `jwt` value that we have hardcoded now.
87377e92 · Tomasz Maczukin · ec8e1aa7 · 87377e92 · 87377e92 · 87377e92
Commit 87377e92 authored Aug 25, 2020 by Tomasz Maczukin
3 changed files
--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -148,8 +148,8 @@ module EE
        variable_value('VAULT_SERVER_URL').present?
      end

-      def variable_value(key)
-        variables_hash[key]
+      def variable_value(key, default = nil)
+        variables_hash.fetch(key, default)
      end

      private

--- a/ee/app/presenters/ee/ci/build_runner_presenter.rb
+++ b/ee/app/presenters/ee/ci/build_runner_presenter.rb
@@ -19,7 +19,7 @@ module EE
          'url' => variable_value('VAULT_SERVER_URL'),
          'auth' => {
            'name' => 'jwt',
-            'path' => 'jwt',
+            'path' => variable_value('VAULT_AUTH_PATH', 'jwt'),
            'data' => {
              'jwt' => '${CI_JOB_JWT}',
              'role' => variable_value('VAULT_AUTH_ROLE')

--- a/ee/spec/presenters/ci/build_runner_presenter_spec.rb
+++ b/ee/spec/presenters/ci/build_runner_presenter_spec.rb
@@ -63,6 +63,24 @@ RSpec.describe Ci::BuildRunnerPresenter do
          end
        end
      end
+
+      context 'Vault auth path' do
+        let(:vault_auth) { presenter.secrets_configuration.dig('DATABASE_PASSWORD', 'vault', 'server', 'auth') }
+
+        context 'VAULT_AUTH_PATH CI variable is present' do
+          it 'contains user defined auth path' do
+            create(:ci_variable, project: ci_build.project, key: 'VAULT_AUTH_PATH', value: 'custom/path')
+
+            expect(vault_auth.fetch('path')).to eq('custom/path')
+          end
+        end
+
+        context 'VAULT_AUTH_PATH CI variable is not present' do
+          it 'contains the default auth path' do
+            expect(vault_auth.fetch('path')).to eq('jwt')
+          end
+        end
+      end
    end
  end
 end