From 45b28966a20e7504fe7ea017eed1f674cac3ca5a Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Fri, 6 May 2016 14:23:38 +0300 Subject: [PATCH 1/2] vault_secret: Save secret value to the nested attribute It allows to avoid conflicts with other top-level attributes. --- libraries/vault_secret.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libraries/vault_secret.rb b/libraries/vault_secret.rb index 6f2d7098..32ecc34e 100644 --- a/libraries/vault_secret.rb +++ b/libraries/vault_secret.rb @@ -56,7 +56,8 @@ def config notifying_block do run_context.include_recipe 'hashicorp-vault::gems' - lease_id = node[new_resource.path] + node.default_unless['hashicorp-vault']['leases'] = [] + lease_id = node['hashicorp-vault']['leases'][new_resource.path] begin client = Vault::Client.new(new_resource.config) @@ -87,7 +88,7 @@ def config return end - node.set[new_resource.path] = secret.lease_id if secret.renewable? + node.set['hashicorp-vault']['leases'][new_resource.path] = secret.lease_id if secret.renewable? # Store secret in-memory for the rest of the Chef run node.run_state[new_resource.path] = secret new_resource.updated_by_last_action(true) From 3ca1413b25bceac9754d84ef1afd576991ae591b Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Wed, 11 May 2016 15:45:38 +0300 Subject: [PATCH 2/2] vault_secret: Add "run_state_reference" property --- libraries/vault_secret.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libraries/vault_secret.rb b/libraries/vault_secret.rb index 32ecc34e..93bbff9a 100644 --- a/libraries/vault_secret.rb +++ b/libraries/vault_secret.rb @@ -27,6 +27,10 @@ class VaultSecret < Chef::Resource # The number of attempts to try & read a Vault secret. # @return [Fixnum] attribute(:attempts, kind_of: Fixnum, default: 2) + # The run state reference where the secret value will be saved, + # e.q. node.run_state['run_state_reference'] + # @return [String] + attribute(:run_state_reference, kind_of: String, default: nil) # @see https://github.com/hashicorp/vault-ruby attribute(:address, kind_of: String, required: true) attribute(:token, kind_of: String) @@ -90,7 +94,8 @@ def config node.set['hashicorp-vault']['leases'][new_resource.path] = secret.lease_id if secret.renewable? # Store secret in-memory for the rest of the Chef run - node.run_state[new_resource.path] = secret + reference = new_resource.run_state_reference || new_resource.path + node.run_state[reference] = secret new_resource.updated_by_last_action(true) rescue Vault::HTTPError => e Chef::Log.warn("Failed to read #{new_resource.path}.\n" + e.message)