Add configurable mount point for secret engines (#24)

* Add configurable mount point for secret backends * Update param name * Update attribute name * Bump minor * Template updates and update scripts * Fix ruff format
ghga-de · Mar 5, 2024 · d8ea3d8 · d8ea3d8
1 parent 79b72da
commit d8ea3d8
Show file tree

Hide file tree

Showing 18 changed files with 552 additions and 514 deletions.
diff --git a/.devcontainer/.dev_config.yaml b/.devcontainer/.dev_config.yaml
@@ -17,4 +17,5 @@ vault_role_id: dummy-role
 vault_secret_id: dummy-secret
 vault_verify: True
 vault_path: ekss
+vault_secrets_mount_point: secret
 vault_kube_role: dummy-role
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -48,7 +48,7 @@ repos:
       - id: no-commit-to-branch
         args: [--branch, dev, --branch, int, --branch, main]
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.2.1
+    rev: v0.3.0
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]

diff --git a/.pyproject_generation/pyproject_custom.toml b/.pyproject_generation/pyproject_custom.toml
@@ -1,6 +1,6 @@
 [project]
 name = "fis"
-version = "1.2.0"
+version = "1.3.0"
 description = "File Ingest Service - A lightweight service to propagate file upload metadata to the GHGA file backend services"
 dependencies = [
     "typer>=0.9.0",

diff --git a/README.md b/README.md
@@ -18,21 +18,21 @@ We recommend using the provided Docker container.
 
 A pre-build version is available at [docker hub](https://hub.docker.com/repository/docker/ghga/file-ingest-service):
 ```bash
-docker pull ghga/file-ingest-service:1.2.0
+docker pull ghga/file-ingest-service:1.3.0
 ```
 
 Or you can build the container yourself from the [`./Dockerfile`](./Dockerfile):
 ```bash
 # Execute in the repo's root dir:
-docker build -t ghga/file-ingest-service:1.2.0 .
+docker build -t ghga/file-ingest-service:1.3.0 .
 ```
 
 For production-ready deployment, we recommend using Kubernetes, however,
 for simple use cases, you could execute the service using docker
 on a single server:
 ```bash
 # The entrypoint is preconfigured:
-docker run -p 8080:8080 ghga/file-ingest-service:1.2.0 --help
+docker run -p 8080:8080 ghga/file-ingest-service:1.3.0 --help
 ```
 
 If you prefer not to use containers, you may install the service from source:
@@ -144,6 +144,16 @@ The service requires the following configuration parameters:
 
 - **`vault_path`** *(string)*: Path without leading or trailing slashes where secrets should be stored in the vault.
 
+- **`vault_secrets_mount_point`** *(string)*: Name used to address the secret engine under a custom mount path. Default: `"secret"`.
+
+
+  Examples:
+
+  ```json
+  "secret"
+  ```
+
+
 - **`vault_kube_role`**: Vault role name used for Kubernetes authentication. Default: `null`.
 
   - **Any of**

diff --git a/config_schema.json b/config_schema.json
@@ -111,6 +111,15 @@
       "title": "Vault Path",
       "type": "string"
     },
+    "vault_secrets_mount_point": {
+      "default": "secret",
+      "description": "Name used to address the secret engine under a custom mount path.",
+      "examples": [
+        "secret"
+      ],
+      "title": "Vault Secrets Mount Point",
+      "type": "string"
+    },
     "vault_kube_role": {
       "anyOf": [
         {

diff --git a/example_config.yaml b/example_config.yaml
@@ -33,6 +33,7 @@ vault_kube_role: dummy-role
 vault_path: ekss
 vault_role_id: '**********'
 vault_secret_id: '**********'
+vault_secrets_mount_point: secret
 vault_url: http://127.0.0.1:8200
 vault_verify: true
 workers: 1
diff --git a/lock/requirements-dev-template.in b/lock/requirements-dev-template.in
@@ -1,32 +1,32 @@
 # common requirements for development and testing of services
 
-pytest>=7.2.0
-pytest-asyncio>=0.20.3
-pytest-cov>=4.0.0
+pytest>=7.4.0
+pytest-asyncio>=0.23.0
+pytest-cov>=4.1.0
 pytest-profiling>=1.7.0
 snakeviz>=2.2.0
 
-pre-commit>=3.1.1
+pre-commit>=3.6.0
 
-mypy>=1.0.0
+mypy>=1.8.0
 mypy-extensions>=1.0.0
 
-ruff>=0.0.290
+ruff>=0.3.0
 
 click>=8.1.0
-typer>=0.7.0
+typer>=0.9.0
 
-httpx>=0.26.0
-pytest-httpx>=0.29.0
+httpx>=0.27.0
+pytest-httpx>=0.30.0
 
-urllib3>=1.26.15
-requests>=2.28.2
+urllib3>=1.26.18
+requests>=2.31.0
 
 stringcase>=1.2.0
 jsonschema2md>=1.0.0
-setuptools>=67.7.2
+setuptools>=69.1.0
 
 # required since switch to pyproject.toml and pip-tools
-pip-tools>=7.3.0
+pip-tools>=7.4.0
 tomli>=2.0.1
 tomli_w>=1.0.0
diff --git a/lock/requirements-dev.txt b/lock/requirements-dev.txt
diff --git a/lock/requirements.txt b/lock/requirements.txt
diff --git a/openapi.yaml b/openapi.yaml
@@ -51,7 +51,7 @@ info:
   description: A service to ingest s3 file upload metadata produced by thedata-steward-kit
     upload command
   title: File Ingest Service
-  version: 1.2.0
+  version: 1.3.0
 openapi: 3.1.0
 paths:
   /federated/ingest_metadata:

diff --git a/pyproject.toml b/pyproject.toml
@@ -22,7 +22,7 @@ classifiers = [
     "Intended Audience :: Developers",
 ]
 name = "fis"
-version = "1.2.0"
+version = "1.3.0"
 description = "File Ingest Service - A lightweight service to propagate file upload metadata to the GHGA file backend services"
 dependencies = [
     "typer>=0.9.0",

diff --git a/scripts/list_outdated_dependencies.py b/scripts/list_outdated_dependencies.py
@@ -16,6 +16,7 @@
 # limitations under the License.
 #
 """Check capped dependencies for newer versions."""
+
 import sys
 from collections.abc import Sequence
 from pathlib import Path

diff --git a/scripts/script_utils/deps.py b/scripts/script_utils/deps.py
@@ -14,6 +14,7 @@
 # limitations under the License.
 #
 """Contains utils for working with dependencies, lock files, etc."""
+
 from copy import deepcopy
 from pathlib import Path
 from typing import Any
@@ -55,11 +56,11 @@ def remove_self_dependencies(pyproject: dict) -> dict:
 
     if "optional-dependencies" in project_metadata:
         for group in project_metadata["optional-dependencies"]:
-            project_metadata["optional-dependencies"][
-                group
-            ] = exclude_from_dependency_list(
-                package_name=package_name,
-                dependencies=project_metadata["optional-dependencies"][group],
+            project_metadata["optional-dependencies"][group] = (
+                exclude_from_dependency_list(
+                    package_name=package_name,
+                    dependencies=project_metadata["optional-dependencies"][group],
+                )
             )
 
     return modified_pyproject

diff --git a/scripts/script_utils/lock_deps.py b/scripts/script_utils/lock_deps.py
@@ -14,6 +14,7 @@
 # limitations under the License.
 #
 """Provides a function to get all dependencies from the lock file"""
+
 import re
 from pathlib import Path
 from typing import Optional

diff --git a/scripts/update_hook_revs.py b/scripts/update_hook_revs.py
@@ -16,6 +16,7 @@
 # limitations under the License.
 #
 """Script to ensure the pre-commit hook revs match what is installed."""
+
 import re
 import sys
 from functools import partial
@@ -48,7 +49,7 @@ def get_repl_value(match, dependencies: dict[str, str], outdated_hooks: list[str
 
         # Use the v prefix if it was used before
         if ver.startswith("v"):
-            new_ver = ver[0] + new_ver
+            new_ver = f"v{new_ver}"
 
         # Make a list of what's outdated
         if new_ver != ver:

diff --git a/src/fis/adapters/inbound/fastapi_/configure.py b/src/fis/adapters/inbound/fastapi_/configure.py
@@ -14,6 +14,7 @@
 # limitations under the License.
 #
 """Utils to customize openAPI script"""
+
 from typing import Any
 
 from fastapi import FastAPI

diff --git a/src/fis/adapters/outbound/vault/client.py b/src/fis/adapters/outbound/vault/client.py
@@ -57,6 +57,11 @@ class VaultConfig(BaseSettings):
         description="Path without leading or trailing slashes where secrets should"
         + " be stored in the vault.",
     )
+    vault_secrets_mount_point: str = Field(
+        default="secret",
+        examples=["secret"],
+        description="Name used to address the secret engine under a custom mount path.",
+    )
     vault_kube_role: Optional[str] = Field(
         default=None,
         examples=["file-ingest-role"],
@@ -75,6 +80,7 @@ def __init__(self, config: VaultConfig):
         """Initialized approle based client and login"""
         self._client = hvac.Client(url=config.vault_url, verify=config.vault_verify)
         self._path = config.vault_path
+        self._secrets_mount_point = config.vault_secrets_mount_point
 
         self._kube_role = config.vault_kube_role
         if self._kube_role:
@@ -120,7 +126,10 @@ def store_secret(self, *, secret: str) -> str:
         try:
             # set cas to 0 as we only want a static secret
             self._client.secrets.kv.v2.create_or_update_secret(
-                path=f"{self._path}/{key}", secret={key: secret}, cas=0
+                path=f"{self._path}/{key}",
+                secret={key: secret},
+                cas=0,
+                mount_point=self._secrets_mount_point,
             )
         except hvac.exceptions.InvalidRequest as exc:
             raise self.SecretInsertionError() from exc

diff --git a/tests/fixtures/joint.py b/tests/fixtures/joint.py
@@ -14,6 +14,7 @@
 # limitations under the License.
 #
 """Bundle test fixtures together"""
+
 from collections.abc import AsyncGenerator
 from dataclasses import dataclass