Add support for openbao_transit_mount_path field in server

Author: touilleMan

server/parsec/cli/run.py

@@ -214,11 +214,23 @@ def handle_parse_result(
     envvar="PARSEC_OPENBAO_SECRET_MOUNT_PATH",
     metavar="MOUNT_PATH",
     show_envvar=True,
-    help="""Configure the mount path of the KV2 secret module used for storage
+    default="secret",
+    help="""Configure the mount path of the OpenBao KV2 secret module used for storage
 
 (see: https://openbao.org/api-docs/secret/kv/kv-v2/)
 """,
 )
+@click.option(
+    "--openbao-transit-mount-path",
+    envvar="PARSEC_OPENBAO_TRANSIT_MOUNT_PATH",
+    metavar="MOUNT_PATH",
+    show_envvar=True,
+    default="transit",
+    help="""Configure the mount path of the OpenBao transit module
+
+(see: https://openbao.org/api-docs/secret/transit/)
+""",
+)
 @click.option(
     "--openbao-auth-pro-connect",
     envvar="PARSEC_OPENBAO_AUTH_PRO_CONNECT_MOUNT_PATH",
@@ -525,7 +537,8 @@ def run_cmd(
     administration_token: str,
     account_config: AccountConfig,
     openbao_server_url: str | None,
-    openbao_secret_mount_path: str | None,
+    openbao_secret_mount_path: str,
+    openbao_transit_mount_path: str,
     openbao_auth_pro_connect: str | None,
     openbao_auth_hexagone: str | None,
     spontaneous_organization_bootstrap: bool,
@@ -592,11 +605,6 @@ def run_cmd(
         if openbao_server_url is None:
             openbao_config = None
         else:
-            if openbao_secret_mount_path is None:
-                raise ValueError(
-                    "--openbao-secret-mount-path is required when --openbao-server-url is provided"
-                )
-
             auths = []
             if openbao_auth_hexagone is not None:
                 auths.append(
@@ -621,6 +629,7 @@ def run_cmd(
             openbao_config = OpenBaoConfig(
                 server_url=openbao_server_url,
                 secret_mount_path=openbao_secret_mount_path,
+                transit_mount_path=openbao_transit_mount_path,
                 auths=auths,
             )
 

server/parsec/cli/testbed.py

@@ -986,6 +986,7 @@ async def testbed_backend_factory(
         openbao_config=OpenBaoConfig(
             server_url=server_addr.to_http_url("/testbed/mock/openbao"),
             secret_mount_path="secret",
+            transit_mount_path="transit",
             auths=[
                 OpenBaoAuthConfig(
                     id=OpenBaoAuthType.HEXAGONE,

server/parsec/components/events.py

@@ -525,6 +525,7 @@ async def api_server_config(
                 secret=anonymous_server_cmds.latest.server_config.OpenBaoSecretConfigKV2(
                     mount_path=self._config.openbao_config.secret_mount_path
                 ),
+                transit_mount_path=self._config.openbao_config.transit_mount_path,
                 auths=[
                     anonymous_server_cmds.latest.server_config.OpenBaoAuthConfig(
                         id=auth.id.str,

server/parsec/config.py

@@ -248,6 +248,7 @@ class OpenBaoAuthConfig:
 class OpenBaoConfig:
     server_url: str
     secret_mount_path: str
+    transit_mount_path: str
     auths: list[OpenBaoAuthConfig]
 
 

server/tests/api_v5/anonymous_server/test_server_config.py

@@ -26,7 +26,8 @@ async def test_anonymous_server_server_config_ok(
             backend.config.account_config = AccountConfig.ENABLED_WITH_VAULT
             backend.config.openbao_config = OpenBaoConfig(
                 server_url="https://openbao.parsec.invalid",
-                secret_mount_path="secrets",
+                secret_mount_path="secret",
+                transit_mount_path="transit",
                 auths=[
                     OpenBaoAuthConfig(
                         id=OpenBaoAuthType.HEXAGONE,
@@ -46,8 +47,9 @@ async def test_anonymous_server_server_config_ok(
                 openbao=anonymous_server_cmds.latest.server_config.OpenBaoConfigEnabled(
                     server_url="https://openbao.parsec.invalid",
                     secret=anonymous_server_cmds.latest.server_config.OpenBaoSecretConfigKV2(
-                        "secrets"
+                        "secret"
                     ),
+                    transit_mount_path="transit",
                     auths=[
                         anonymous_server_cmds.latest.server_config.OpenBaoAuthConfig(
                             id="HEXAGONE", mount_path="auth/hexagone"