Skip to content

Make AppRole mount point configurable#15

Merged
fajfer merged 2 commits intomainfrom
copilot/make-approle-name-configurable
Mar 16, 2026
Merged

Make AppRole mount point configurable#15
fajfer merged 2 commits intomainfrom
copilot/make-approle-name-configurable

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 9, 2026
edited
Loading

The AppRole authentication path was hardcoded to approle, causing 403 errors when Vault instances used custom mount points (e.g., auth/my-approle/login).

Changes

  • Config: Add approle_mount_point field to VaultConfig (default: "approle")
  • Integration: Pass mount_point parameter to hvac.Client.auth.approle.login()
  • Manager: Thread config value through to integration layer
  • Docs: Update config.example.yaml with usage example

Usage

vaults:
  - name: production
    address: https://vault.example.com:8200
    auth_method: approle
    role_id_file: /run/secrets/role-id
    secret_id_file: /run/secrets/secret-id
    approle_mount_point: custom-approle  # Defaults to "approle"

Backward compatible - existing configs work unchanged.

Original prompt

This section details on the original issue you should resolve

<issue_title>Approle name should be configurable</issue_title>
<issue_description>Currently, while connecting to the vault chronowarden uses /v1/auth/approle/login but approle string should be actually a variable, because it is an actual name of the approle used. This causes endpoint to return 403 (permission denied while connecting to the vault).</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Make Approle name configurable for vault connection Make AppRole mount point configurable Feb 9, 2026
Copilot AI requested a review from fajfer February 9, 2026 15:44
fajfer
fajfer reviewed Feb 9, 2026
View reviewed changes
Comment thread chronowarden/config.py Outdated
Comment on lines +178 to +179
logger.warning(
"Deprecated: 'default_severity' in vault config. Use 'severity' instead."
)
logger.warning("Deprecated: 'default_severity' in vault config. Use 'severity' instead.")
Copy link
Copy Markdown
Owner

@fajfer fajfer Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't do deprecation warnings at this point. We're not at version 1.x.y yet

Comment thread chronowarden/config.py
logger.warning(
"Deprecated: top-level 'engines' array. Move engine configs into vaults[].engines instead."
)
logger.warning("Deprecated: top-level 'engines' array. Move engine configs into vaults[].engines instead.")
Copy link
Copy Markdown
Owner

@fajfer fajfer Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't do deprecation warnings at this point. We're not at version 1.x.y yet

@fajfer
feat: make AppRole mount point configurable
ff57bdb 
- Add approle_mount_point field to VaultConfig with default "approle"
- Update VaultIntegration to accept and use approle_mount_point parameter
- Pass mount_point to hvac's auth.approle.login() method
- Add tests for default and custom mount point configurations
- Update config.example.yaml with documentation for the new field
@fajfer fajfer force-pushed the copilot/make-approle-name-configurable branch from 4391840 to ff57bdb Compare March 15, 2026 23:26
@fajfer fajfer marked this pull request as ready for review March 15, 2026 23:32
@fajfer
Copy link
Copy Markdown
Owner

fajfer commented Mar 15, 2026

TODO: update dev-setup.py to already set this up

@fajfer fajfer merged commit ea6281e into main Mar 16, 2026
4 of 5 checks passed
@fajfer fajfer deleted the copilot/make-approle-name-configurable branch March 16, 2026 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fajfer fajfer fajfer left review comments

Assignees

@fajfer fajfer

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Approle name should be configurable

2 participants

@fajfer