Update key names in credential template and bao config#2389
Update key names in credential template and bao config#2389cb-github-robot merged 1 commit intocloud-barista:mainfrom
Conversation
Signed-off-by: Seokho Son <shsongist@gmail.com>
|
/approve |
There was a problem hiding this comment.
Pull request overview
Updates the documented and templated credential key names to provider-specific fields (e.g., aws_access_key_id) and aligns the OpenBao credential import script and docs with the current credential-holder naming constraints.
Changes:
- Updated
template.credentials.yamlandREADME.mdexamples to use the new credential key names. - Updated
openbao-register-creds.pyKEY_MAPto map the new YAML keys to OpenBao KV fields. - Updated the credential/connection feature guide to reflect new key names, underscore-based holder naming, and added guidance for OpenStack-based custom CSP entries.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| init/template.credentials.yaml | Renames credential keys in the template to provider-specific names. |
| init/openbao/openbao-register-creds.py | Updates YAML→OpenBao field mapping to match new credential key names. |
| docs/feature_guide/credential-and-connection.md | Updates documentation/examples for new key names and holder naming, adds OpenStack-based CSP guidance. |
| README.md | Updates credentials.yaml example and documents holder naming rule. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # CSP key mapping: cb-tumblebug YAML keys → Terrarium/OpenTofu env var keys | ||
| KEY_MAP = { | ||
| "aws": { | ||
| "ClientId": "AWS_ACCESS_KEY_ID", | ||
| "ClientSecret": "AWS_SECRET_ACCESS_KEY", | ||
| "aws_access_key_id": "AWS_ACCESS_KEY_ID", | ||
| "aws_secret_access_key": "AWS_SECRET_ACCESS_KEY", | ||
| }, |
There was a problem hiding this comment.
The comment above KEY_MAP says the mapping is to "Terrarium/OpenTofu env var keys", but several mapped values are actually OpenBao secret field names (e.g., GCP uses JSON-style keys like project_id/client_email). Consider rewording this comment to reflect that these are OpenBao KV field names (often env-var compatible) to avoid confusion for future maintainers.
| # CSP key mapping: cb-tumblebug YAML keys → Terrarium/OpenTofu env var keys | ||
| KEY_MAP = { | ||
| "aws": { | ||
| "ClientId": "AWS_ACCESS_KEY_ID", | ||
| "ClientSecret": "AWS_SECRET_ACCESS_KEY", | ||
| "aws_access_key_id": "AWS_ACCESS_KEY_ID", | ||
| "aws_secret_access_key": "AWS_SECRET_ACCESS_KEY", | ||
| }, | ||
| "azure": { | ||
| "ClientId": "ARM_CLIENT_ID", | ||
| "ClientSecret": "ARM_CLIENT_SECRET", | ||
| "TenantId": "ARM_TENANT_ID", | ||
| "SubscriptionId": "ARM_SUBSCRIPTION_ID", | ||
| "clientId": "ARM_CLIENT_ID", | ||
| "clientSecret": "ARM_CLIENT_SECRET", | ||
| "tenantId": "ARM_TENANT_ID", | ||
| "subscriptionId": "ARM_SUBSCRIPTION_ID", | ||
| }, | ||
| "gcp": { | ||
| "ProjectID": "project_id", | ||
| "ClientEmail": "client_email", | ||
| "PrivateKey": "private_key", | ||
| "project_id": "project_id", | ||
| "client_email": "client_email", | ||
| "private_key": "private_key", | ||
| "private_key_id": "private_key_id", | ||
| "client_id": "client_id", | ||
| }, | ||
| "alibaba": { | ||
| "ClientId": "ALIBABA_CLOUD_ACCESS_KEY_ID", | ||
| "ClientSecret": "ALIBABA_CLOUD_ACCESS_KEY_SECRET", | ||
| "AccessKeyId": "ALIBABA_CLOUD_ACCESS_KEY_ID", | ||
| "AccessKeySecret": "ALIBABA_CLOUD_ACCESS_KEY_SECRET", | ||
| }, | ||
| "ibm": { | ||
| "ApiKey": "IC_API_KEY", | ||
| }, | ||
| "ncp": { | ||
| "ClientId": "NCLOUD_ACCESS_KEY", | ||
| "ClientSecret": "NCLOUD_SECRET_KEY", | ||
| "ncloud_access_key": "NCLOUD_ACCESS_KEY", | ||
| "ncloud_secret_key": "NCLOUD_SECRET_KEY", | ||
| }, | ||
| "tencent": { | ||
| "ClientId": "TENCENTCLOUD_SECRET_ID", | ||
| "ClientSecret": "TENCENTCLOUD_SECRET_KEY", | ||
| "SecretId": "TENCENTCLOUD_SECRET_ID", | ||
| "SecretKey": "TENCENTCLOUD_SECRET_KEY", | ||
| }, |
There was a problem hiding this comment.
Backward-compatibility issue: after changing KEY_MAP to only the new YAML key names (e.g., aws_access_key_id), an existing credentials.yaml.enc that still uses legacy keys (ClientId/ClientSecret, TenantId, etc.) will pass the has_value check but then register empty-string placeholders for the mapped keys (silently losing the real values). Consider supporting both legacy and new key aliases (or detecting legacy keys and warning/failing) to avoid accidentally writing blank secrets to OpenBao.
| # ex: f89f5asfsesefsefsfefes0se0fse0f00ef565e33 | ||
| private_key_id: | ||
| # PrivateKey(private_key): Private Key of the Private Key ID of the service account (need to provide inlined format includeing \n characters.) | ||
| # private_key: Private Key of the Private Key ID of the service account (need to provide inlined format includeing \n characters.) |
There was a problem hiding this comment.
In the GCP private_key comment, "includeing" is misspelled. Please correct it to "including" to keep the template professional and avoid copy/paste typos for users.
| # private_key: Private Key of the Private Key ID of the service account (need to provide inlined format includeing \n characters.) | |
| # private_key: Private Key of the Private Key ID of the service account (need to provide inlined format including \n characters.) |
To use CSP-native term for each credential key.