From e39ab6f0ee2b4aac50ea6339f10ff3170106ea7c Mon Sep 17 00:00:00 2001
From: Maksim Loviagin <mloviagin@mfhunruh.com>
Date: Tue, 15 Jul 2025 18:57:44 +0000
Subject: [PATCH] feat: split the vault mount path into kv and auth

---
 auth/iam.go           |  3 ++-
 auth/iam_vault.go     | 30 +++++++++++++++++++-----------
 cmd/versitygw/main.go | 15 +++++++++++----
 3 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/auth/iam.go b/auth/iam.go
index 47c5ce2..a702c65 100644
--- a/auth/iam.go
+++ b/auth/iam.go
@@ -121,6 +121,7 @@ type Opts struct {
 	LDAPGroupIdAtr         string
 	VaultEndpointURL       string
 	VaultSecretStoragePath string
+	VaultAuthMethod        string
 	VaultMountPath         string
 	VaultRootToken         string
 	VaultRoleId            string
@@ -166,7 +167,7 @@ func New(o *Opts) (IAMService, error) {
 			o.S3Endpoint, o.S3Bucket)
 	case o.VaultEndpointURL != "":
 		svc, err = NewVaultIAMService(o.RootAccount, o.VaultEndpointURL, o.VaultSecretStoragePath,
-			o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
+			o.VaultAuthMethod, o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
 			o.VaultServerCert, o.VaultClientCert, o.VaultClientCertKey)
 		fmt.Printf("initializing Vault IAM with %q\n", o.VaultEndpointURL)
 	case o.IpaHost != "":
diff --git a/auth/iam_vault.go b/auth/iam_vault.go
index 64aa22c..0c95852 100644
--- a/auth/iam_vault.go
+++ b/auth/iam_vault.go
@@ -28,14 +28,15 @@ import (
 
 type VaultIAMService struct {
 	client            *vault.Client
-	reqOpts           []vault.RequestOption
+	authReqOpts       []vault.RequestOption
+	kvReqOpts         []vault.RequestOption
 	secretStoragePath string
 	rootAcc           Account
 }
 
 var _ IAMService = &VaultIAMService{}
 
-func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error) {
+func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, authMethod, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error) {
 	opts := []vault.ClientOption{
 		vault.WithAddress(endpoint),
 		// set request timeout to 10 secs
@@ -62,10 +63,16 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
 		return nil, fmt.Errorf("init vault client: %w", err)
 	}
 
-	reqOpts := []vault.RequestOption{}
-	// if mount path is not specified, it defaults to "approle"
+	authReqOpts := []vault.RequestOption{}
+	// if auth method path is not specified, it defaults to "approle"
+	if authMethod != "" {
+		authReqOpts = append(authReqOpts, vault.WithMountPath(authMethod))
+	}
+
+	kvReqOpts := []vault.RequestOption{}
+	// if mount path is not specified, it defaults to "kv-v2"
 	if mountPath != "" {
-		reqOpts = append(reqOpts, vault.WithMountPath(mountPath))
+		kvReqOpts = append(kvReqOpts, vault.WithMountPath(mountPath))
 	}
 
 	// Authentication
@@ -84,7 +91,7 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
 		resp, err := client.Auth.AppRoleLogin(ctx, schema.AppRoleLoginRequest{
 			RoleId:   roleID,
 			SecretId: roleSecret,
-		}, reqOpts...)
+		}, authReqOpts...)
 		cancel()
 		if err != nil {
 			return nil, fmt.Errorf("approle authentication failure: %w", err)
@@ -99,7 +106,8 @@ func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath,
 
 	return &VaultIAMService{
 		client:            client,
-		reqOpts:           reqOpts,
+		authReqOpts:       authReqOpts,
+		kvReqOpts:         kvReqOpts,
 		secretStoragePath: secretStoragePath,
 		rootAcc:           rootAcc,
 	}, nil
@@ -117,7 +125,7 @@ func (vt *VaultIAMService) CreateAccount(account Account) error {
 		Options: map[string]interface{}{
 			"cas": 0,
 		},
-	}, vt.reqOpts...)
+	}, vt.kvReqOpts...)
 	cancel()
 	if err != nil {
 		if strings.Contains(err.Error(), "check-and-set") {
@@ -134,7 +142,7 @@ func (vt *VaultIAMService) GetUserAccount(access string) (Account, error) {
 		return vt.rootAcc, nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	resp, err := vt.client.Secrets.KvV2Read(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
+	resp, err := vt.client.Secrets.KvV2Read(ctx, vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
 	cancel()
 	if err != nil {
 		return Account{}, err
@@ -172,7 +180,7 @@ func (vt *VaultIAMService) UpdateUserAccount(access string, props MutableProps)
 
 func (vt *VaultIAMService) DeleteUserAccount(access string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
+	_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(ctx, vt.secretStoragePath+"/"+access, vt.kvReqOpts...)
 	cancel()
 	if err != nil {
 		return err
@@ -182,7 +190,7 @@ func (vt *VaultIAMService) DeleteUserAccount(access string) error {
 
 func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	resp, err := vt.client.Secrets.KvV2List(ctx, vt.secretStoragePath, vt.reqOpts...)
+	resp, err := vt.client.Secrets.KvV2List(ctx, vt.secretStoragePath, vt.kvReqOpts...)
 	cancel()
 	if err != nil {
 		if vault.IsErrorStatus(err, 404) {
diff --git a/cmd/versitygw/main.go b/cmd/versitygw/main.go
index 1c4522e..8ff4e62 100644
--- a/cmd/versitygw/main.go
+++ b/cmd/versitygw/main.go
@@ -61,10 +61,10 @@ var (
 	ldapAccessAtr, ldapSecAtr, ldapRoleAtr   string
 	ldapUserIdAtr, ldapGroupIdAtr            string
 	vaultEndpointURL, vaultSecretStoragePath string
-	vaultMountPath, vaultRootToken           string
-	vaultRoleId, vaultRoleSecret             string
-	vaultServerCert, vaultClientCert         string
-	vaultClientCertKey                       string
+	vaultAuthMethod, vaultMountPath          string
+	vaultRootToken, vaultRoleId              string
+	vaultRoleSecret, vaultServerCert         string
+	vaultClientCert, vaultClientCertKey      string
 	s3IamAccess, s3IamSecret                 string
 	s3IamRegion, s3IamBucket                 string
 	s3IamEndpoint                            string
@@ -380,6 +380,12 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_IAM_VAULT_SECRET_STORAGE_PATH"},
 			Destination: &vaultSecretStoragePath,
 		},
+		&cli.StringFlag{
+			Name:        "iam-vault-auth-method",
+			Usage:       "vault server auth method",
+			EnvVars:     []string{"VGW_IAM_VAULT_AUTH_METHOD"},
+			Destination: &vaultAuthMethod,
+		},
 		&cli.StringFlag{
 			Name:        "iam-vault-mount-path",
 			Usage:       "vault server mount path",
@@ -658,6 +664,7 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		LDAPGroupIdAtr:         ldapGroupIdAtr,
 		VaultEndpointURL:       vaultEndpointURL,
 		VaultSecretStoragePath: vaultSecretStoragePath,
+		VaultAuthMethod:        vaultAuthMethod,
 		VaultMountPath:         vaultMountPath,
 		VaultRootToken:         vaultRootToken,
 		VaultRoleId:            vaultRoleId,