Fix the HVAC configurable mount point and add to helm chart (#4088)

Author: stefannica

docker/zenml-server-hf-spaces.Dockerfile

@@ -59,6 +59,7 @@ ENV ZENML_SERVER_SECURE_HEADERS_CSP="frame-ancestors *;"
 # ENV ZENML_SECRETS_STORE_VAULT_ADDR=""
 # ENV ZENML_SECRETS_STORE_VAULT_TOKEN=""
 # ENV ZENML_SECRETS_STORE_VAULT_NAMESPACE=""
+# ENV ZENML_SECRETS_STORE_MOUNT_POINT=""
 # ENV ZENML_SECRETS_STORE_MAX_VERSIONS=""
 
 ENTRYPOINT ["uvicorn", "zenml.zen_server.zen_server_api:app", "--log-level", "debug", "--no-server-header"]

docs/book/getting-started/deploying-zenml/deploy-with-docker.md

@@ -195,6 +195,7 @@ These configuration options are only relevant if you're using Hashicorp Vault as
 * **ZENML\_SECRETS\_STORE\_VAULT\_ADDR**: The URL of the HashiCorp Vault server to connect to. NOTE: this is the same as setting the `VAULT_ADDR` environment variable.
 * **ZENML\_SECRETS\_STORE\_VAULT\_TOKEN**: The token to use to authenticate with the HashiCorp Vault server. NOTE: this is the same as setting the `VAULT_TOKEN` environment variable.
 * **ZENML\_SECRETS\_STORE\_VAULT\_NAMESPACE**: The Vault Enterprise namespace. Not required for Vault OSS. NOTE: this is the same as setting the `VAULT_NAMESPACE` environment variable.
+* **ZENML\_SECRETS\_STORE\_MOUNT\_POINT**: The mount point to use for the HashiCorp Vault secrets store. If not set, the default value of `secret` will be used.
 * **ZENML\_SECRETS\_STORE\_MAX\_VERSIONS**: The maximum number of secret versions to keep for each Vault secret. If not set, the default value of 1 will be used (only the latest version will be kept).
 {% endtab %}
 

docs/book/getting-started/deploying-zenml/deploy-with-helm.md

@@ -530,6 +530,8 @@ To use the HashiCorp Vault service as a Secrets Store back-end, it must be confi
        vault_token: <your Vault token>
        # The Vault Enterprise namespace. Not required for Vault OSS.
        vault_namespace: <your Vault namespace>
+       # The mount point to use for the HashiCorp Vault secrets store. If not set, the default value of `secret` will be used.
+       mount_point: <your Vault mount point>
 ```
 {% endtab %}
 

helm/templates/_environment.tpl

@@ -335,6 +335,9 @@ vault_addr: {{ .SecretsStore.hashicorp.vault_addr | quote }}
 {{- if .SecretsStore.hashicorp.vault_namespace }}
 vault_namespace: {{ .SecretsStore.hashicorp.vault_namespace | quote }}
 {{- end }}
+{{- if .SecretsStore.hashicorp.mount_point }}
+mount_point: {{ .SecretsStore.hashicorp.mount_point | quote }}
+{{- end }}
 {{- if .SecretsStore.hashicorp.max_versions }}
 max_versions: {{ .SecretsStore.hashicorp.max_versions | quote }}
 {{- end }}

helm/values.yaml

@@ -702,6 +702,8 @@ zenml:
       vault_token:
       # The Vault Enterprise namespace. Not required for Vault OSS.
       vault_namespace:
+      # The mount point to use (defaults to "secret" if not set)
+      mount_point:
       # The maximum number of secret versions to keep. If not set, the default
       # value of 1 will be used (only the latest version will be kept).
       max_versions:
@@ -962,6 +964,8 @@ zenml:
       vault_token:
       # The Vault Enterprise namespace. Not required for Vault OSS.
       vault_namespace:
+      # The mount point to use (defaults to "secret" if not set)
+      mount_point:
       # The maximum number of secret versions to keep. If not set, the default
       # value of 1 will be used (only the latest version will be kept).
       max_versions:

src/zenml/zen_stores/secrets_stores/hashicorp_secrets_store.py

@@ -44,6 +44,7 @@
 HVAC_ZENML_SECRET_NAME_PREFIX = "zenml"
 ZENML_VAULT_SECRET_VALUES_KEY = "zenml_secret_values"
 ZENML_VAULT_SECRET_METADATA_KEY = "zenml_secret_metadata"
+DEFAULT_MOUNT_POINT = "secret"
 
 
 class HashiCorpVaultSecretsStoreConfiguration(SecretsStoreConfiguration):
@@ -120,13 +121,11 @@ def client(self) -> hvac.Client:
                 else None,
                 namespace=self.config.vault_namespace,
             )
+            # Configure the intended mount (idempotent)
             self._client.secrets.kv.v2.configure(
+                mount_point=self.config.mount_point or DEFAULT_MOUNT_POINT,
                 max_versions=self.config.max_versions,
             )
-            if self.config.mount_point:
-                self._client.secrets.kv.v2.configure(
-                    mount_point=self.config.mount_point,
-                )
         return self._client
 
     # ====================================
@@ -197,6 +196,7 @@ def store_secret_values(
                 },
                 # Do not allow overwriting an existing secret
                 cas=0,
+                mount_point=self.config.mount_point or DEFAULT_MOUNT_POINT,
             )
         except VaultError as e:
             raise RuntimeError(f"Error creating secret: {e}")
@@ -224,6 +224,7 @@ def get_secret_values(self, secret_id: UUID) -> Dict[str, str]:
             vault_secret = (
                 self.client.secrets.kv.v2.read_secret(
                     path=vault_secret_id,
+                    mount_point=self.config.mount_point or DEFAULT_MOUNT_POINT,
                 )
                 .get("data", {})
                 .get("data", {})
@@ -295,6 +296,7 @@ def update_secret_values(
                     ZENML_VAULT_SECRET_VALUES_KEY: secret_values,
                     ZENML_VAULT_SECRET_METADATA_KEY: metadata,
                 },
+                mount_point=self.config.mount_point or DEFAULT_MOUNT_POINT,
             )
         except InvalidPath:
             raise KeyError(f"Secret with ID {secret_id} does not exist.")
@@ -320,6 +322,7 @@ def delete_secret_values(self, secret_id: UUID) -> None:
         try:
             self.client.secrets.kv.v2.delete_metadata_and_all_versions(
                 path=vault_secret_id,
+                mount_point=self.config.mount_point or DEFAULT_MOUNT_POINT,
             )
         except InvalidPath:
             raise KeyError(f"Secret with ID {secret_id} does not exist.")