Skip to content

add shared path support to credhub#9615

Open
VikranthBala wants to merge 2 commits into
concourse:masterfrom
VikranthBala:master
Open

add shared path support to credhub#9615
VikranthBala wants to merge 2 commits into
concourse:masterfrom
VikranthBala:master

Conversation

@VikranthBala

Copy link
Copy Markdown

Changes proposed by this PR

As of now, it is not possible to configure shared paths for Credhub cred manager as opposed to other cred managers such as Vault,AWS. So I propose to add a new parameter --credhub-shared-path similar to the Vault cred manager. This parameter can be optional (as with Vault). This PR provides all the changes needed for this functionality.

Notes to reviewer

Release Note

Added `--credhub-shared-path` to configure shared secret paths for Credhub cred manager similarly to the one for Vault, SSM.

PR is for the issue: #9062

@VikranthBala VikranthBala requested a review from a team as a code owner June 23, 2026 15:22
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jun 23, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

@taylorsilva taylorsilva left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! Change the lookup path logic for it and then this looks good to merge.

Comment on lines +30 to +32
if c.sharedPath != "" {
lookupPaths = append(lookupPaths, creds.NewSecretLookupWithPrefix(c.sharedPath+"/"))
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should also include the c.prefix. I think the credhub semantics are similar to Vault's. Both var sources have a PathPrefix that is, as per their descriptions:

Path under which to namespace credential lookup.

Which in Vault means all secret lookups happen under the PathPrefix. See

if v.SharedPath != "" {
lookupPaths = append(lookupPaths, creds.NewSecretLookupWithPrefix(path.Join(v.Prefix, v.SharedPath)+"/"))
}

Contrasting that, we don't do that in the SSM cred manager:

if s.sharedPath != "" {
lookupPaths = append(lookupPaths, creds.NewSecretLookupWithPrefix(s.sharedPath+"/"))
}

but that's because it has no PathPrefix:
type SsmManager struct {
AwsAccessKeyID string `mapstructure:"access_key" long:"access-key" description:"AWS Access key ID"`
AwsSecretAccessKey string `mapstructure:"secret_key" long:"secret-key" description:"AWS Secret Access Key"`
AwsSessionToken string `mapstructure:"session_token" long:"session-token" description:"AWS Session Token"`
AwsRegion string `mapstructure:"region" long:"region" description:"AWS region to send requests to"`
PipelineSecretTemplate string `mapstructure:"pipeline_secret_template" long:"pipeline-secret-template" description:"AWS SSM parameter name template used for pipeline specific parameter" default:"/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}"`
TeamSecretTemplate string `mapstructure:"team_secret_template" long:"team-secret-template" description:"AWS SSM parameter name template used for team specific parameter" default:"/concourse/{{.Team}}/{{.Secret}}"`
SharedPath string `mapstructure:"shared_path" long:"shared-path" description:"AWS SSM parameter path used for shared parameters"`
Ssm *Ssm
}


PathPrefix string `long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."`

SharedPath string `long:"shared-path" description:"CredHub parameter path used for shared parameters"`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: change description to match Vault's

Suggested change
SharedPath string `long:"shared-path" description:"CredHub parameter path used for shared parameters"`
SharedPath string `long:"shared-path" description:"Path under which to namespace credential lookup."`

@taylorsilva taylorsilva moved this from Todo to Waiting on Contributor in Pull Requests Jun 26, 2026
@VikranthBala

VikranthBala commented Jul 2, 2026

Copy link
Copy Markdown
Author

Thanks for the review, I will have a look at the comments & update the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Waiting on Contributor

Development

Successfully merging this pull request may close these issues.

2 participants