feat(Vault): custom prefix for test credentials (#3043)

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2025-09-16 09:26:22 +02:00 · 2021-08-11 16:20:08 +02:00
parent c66c868d7c
commit 97b84429f1
3 changed files with 73 additions and 27 deletions
--- a/documentation/docs/infrastructure/vault.md
+++ b/documentation/docs/infrastructure/vault.md
@@ -117,4 +117,10 @@ The `vaultTestCredentialPath` parameter is the endpoint of your credential path

 The `vaultTestCredentialKeys`parameter is a list of credential IDs. The secret value of the credential will be exposed as an environment variable prefixed by "PIPER_TESTCREDENTIAL_" and transformed to a valid variable name. For a credential ID named `myAppId` the forwarded environment variable to the step will be `PIPER_TESTCREDENTIAL_MYAPPID` containing the secret. Hyphens will be replaced by underscores and other non-alphanumeric characters will be removed.

+!!! hint "Using a custom prefix for test credentials"
+    By default the prefix for test credentials is `PIPER_TESTCREDENTIAL_`.
+
+    It is possible to use a custom prefix by setting for example `vaultTestCredentialEnvPrefix: MY_CUSTOM_PREFIX` in your configuration.
+    With this above credential ID named `myAppId` will be populated into an environment variable with the name `MY_CUSTOM_PREFIX_MYAPPID`.
+
 Extended logging for vault secret fetching (e.g. found credentials and environment variable names) can be activated via `verbose: true` configuration.
--- a/pkg/config/vault.go
+++ b/pkg/config/vault.go
@@ -15,7 +15,7 @@ import (
 const (
 	vaultTestCredentialPath              = "vaultTestCredentialPath"
 	vaultTestCredentialKeys              = "vaultTestCredentialKeys"
-	vaultTestCredentialEnvPrefix = "PIPER_TESTCREDENTIAL_"
+	vaultTestCredentialEnvPrefix_Default = "PIPER_TESTCREDENTIAL_"
 )

 var (
@@ -27,6 +27,7 @@ var (
 		"vaultBasePath",
 		"vaultPipelineName",
 		"vaultPath",
+		"vaultTestCredentialEnvPrefix",
 		"skipVault",
 		"vaultDisableOverwrite",
 		vaultTestCredentialPath,
@@ -165,7 +166,7 @@ func resolveVaultTestCredentials(config *StepConfig, client vaultClient) {
 			continue
 		}
 		secretsResolved := false
-		secretsResolved = populateTestCredentialsAsEnvs(secret, keys)
+		secretsResolved = populateTestCredentialsAsEnvs(config, secret, keys)
 		if secretsResolved {
 			// prevent overwriting resolved secrets
 			// only allows vault test credentials on one / the same vault path
@@ -174,7 +175,12 @@ func resolveVaultTestCredentials(config *StepConfig, client vaultClient) {
 	}
 }

-func populateTestCredentialsAsEnvs(secret map[string]string, keys []string) (matched bool) {
+func populateTestCredentialsAsEnvs(config *StepConfig, secret map[string]string, keys []string) (matched bool) {
+
+	vaultTestCredentialEnvPrefix, ok := config.Config["vaultTestCredentialEnvPrefix"].(string)
+	if !ok || len(vaultTestCredentialEnvPrefix) == 0 {
+		vaultTestCredentialEnvPrefix = vaultTestCredentialEnvPrefix_Default
+	}
 	for secretKey, secretValue := range secret {
 		for _, key := range keys {
 			if secretKey == key {
--- a/pkg/config/vault_test.go
+++ b/pkg/config/vault_test.go
@@ -219,7 +219,10 @@ func addAlias(param *StepParameters, aliasName string) {
 	param.Aliases = append(param.Aliases, alias)
 }

-func Test_resolveVaultTestCredentials(t *testing.T) {
+func TestResolveVaultTestCredentials(t *testing.T) {
+	t.Parallel()
+	t.Run("Default credential prefix", func(t *testing.T) {
+		t.Parallel()
 		// init
 		vaultMock := &mocks.VaultMock{}
 		envPrefix := "PIPER_TESTCREDENTIAL_"
@@ -245,6 +248,37 @@ func Test_resolveVaultTestCredentials(t *testing.T) {
 			assert.NotEmpty(t, os.Getenv(env))
 			assert.Equal(t, os.Getenv(env), v)
 		}
+	})
+
+	t.Run("Custom credential prefix", func(t *testing.T) {
+		t.Parallel()
+		// init
+		vaultMock := &mocks.VaultMock{}
+		envPrefix := "CUSTOM_CREDENTIAL_"
+		stepConfig := StepConfig{Config: map[string]interface{}{
+			"vaultPath":                    "team1",
+			"vaultTestCredentialPath":      "appCredentials",
+			"vaultTestCredentialKeys":      []interface{}{"appUser", "appUserPw"},
+			"vaultTestCredentialEnvPrefix": envPrefix,
+		}}
+
+		defer os.Unsetenv("CUSTOM_CREDENTIAL_APPUSER")
+		defer os.Unsetenv("CUSTOM_CREDENTIAL_APPUSERPW")
+
+		// mock
+		vaultData := map[string]string{"appUser": "test-user", "appUserPw": "password1234"}
+		vaultMock.On("GetKvSecret", "team1/appCredentials").Return(vaultData, nil)
+
+		// test
+		resolveVaultTestCredentials(&stepConfig, vaultMock)
+
+		// assert
+		for k, v := range vaultData {
+			env := envPrefix + strings.ToUpper(k)
+			assert.NotEmpty(t, os.Getenv(env))
+			assert.Equal(t, os.Getenv(env), v)
+		}
+	})
 }

 func Test_convertEnvVar(t *testing.T) {