From 7e463a7367ab5d07406a7c1dd556b505455191fd Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Thu, 29 May 2025 00:00:02 -0500 Subject: [PATCH 1/2] Add secrets profile to set up a KVv2 mount This mirrors a dev mode server, but allows us to apply it for production/durable servers. Signed-off-by: Alexander Scheel --- pkg/bao/profile.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/pkg/bao/profile.go b/pkg/bao/profile.go index 996d461..176d1ce 100644 --- a/pkg/bao/profile.go +++ b/pkg/bao/profile.go @@ -12,6 +12,7 @@ const ( PKIProfile string = "pki" TransitProfile string = "transit" UserpassProfile string = "userpass" + SecretProfile string = "secret" ) func ListProfiles() []string { @@ -19,6 +20,7 @@ func ListProfiles() []string { PKIProfile, TransitProfile, UserpassProfile, + SecretProfile, } } @@ -30,6 +32,8 @@ func ProfileDescription(name string) string { return "enable transit for auto-unseal of another cluster" case UserpassProfile: return "enable userpass authentication and sample policy" + case SecretProfile: + return "enable a KVv2 static secret engine" } return "" @@ -43,6 +47,8 @@ func ProfileSetup(client *api.Client, profile string) ([]string, error) { return ProfileTransitSealMountSetup(client) case UserpassProfile: return ProfileUserpassMountSetup(client) + case SecretProfile: + return ProfileSecretMountSetup(client) default: return nil, fmt.Errorf("unknown profile to apply: %v", profile) } @@ -56,6 +62,8 @@ func ProfileRemove(client *api.Client, profile string) ([]string, error) { return ProfileTransitSealMountRemove(client) case UserpassProfile: return ProfileUserpassMountRemove(client) + case SecretProfile: + return ProfileSecretMountRemove(client) default: return nil, fmt.Errorf("unknown profile to apply: %v", profile) } @@ -392,6 +400,10 @@ path "transit/random" { path "transit/random/*" { capabilities = ["create", "update"] } + +path "secret/+/scratch/*" { + capabilities = ["create", "read", "update", "patch", "list", "scan"] +} ` func ProfileUserpassMountSetup(client *api.Client) ([]string, error) { @@ -438,3 +450,21 @@ func ProfileUserpassMountRemove(client *api.Client) ([]string, error) { return nil, nil } + +func ProfileSecretMountSetup(client *api.Client) ([]string, error) { + if err := client.Sys().Mount("secret", &api.MountInput{ + Type: "kv-v2", + }); err != nil { + return nil, fmt.Errorf("failed to mount transit instance: %w", err) + } + + return nil, nil +} + +func ProfileSecretMountRemove(client *api.Client) ([]string, error) { + if err := client.Sys().Unmount("secret"); err != nil { + return nil, fmt.Errorf("failed to remove secret mount: %w", err) + } + + return nil, nil +} From 2bb48a3b2cce1289318d02b66abdc8b417d68dd2 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Tue, 25 Nov 2025 12:31:17 -0600 Subject: [PATCH 2/2] Update pkg/bao/profile.go Co-authored-by: Wojciech Slabosz --- pkg/bao/profile.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/bao/profile.go b/pkg/bao/profile.go index 176d1ce..4619310 100644 --- a/pkg/bao/profile.go +++ b/pkg/bao/profile.go @@ -455,7 +455,7 @@ func ProfileSecretMountSetup(client *api.Client) ([]string, error) { if err := client.Sys().Mount("secret", &api.MountInput{ Type: "kv-v2", }); err != nil { - return nil, fmt.Errorf("failed to mount transit instance: %w", err) + return nil, fmt.Errorf("failed to mount kv2 instance: %w", err) } return nil, nil