feat: Add config option to prefer GET request over LIST when using Hashicorp Vault (#8049)

## Summary
Hashicorp Vault prefers a `LIST` HTTP method to be used when fetching
secrets but not all environments will allow custom http methods through
WAFs. This PR adds `N8N_EXTERNAL_SECRETS_PREFER_GET` which when set to
`true` will use GET instead of LIST to fetch secrets.


## Review / Merge checklist
- [x] PR title and summary are descriptive. **Remember, the title
automatically goes into the changelog. Use `(no-changelog)` otherwise.**
([conventions](https://github.com/n8n-io/n8n/blob/master/.github/pull_request_title_conventions.md))
This commit is contained in:
Jon 2023-12-15 16:20:39 +00:00 committed by GitHub
parent 5b7ea16d9a
commit 439a22d68f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 2 deletions

View file

@ -3,6 +3,7 @@ import config from '@/config';
import Container from 'typedi';
export const updateIntervalTime = () => config.getEnv('externalSecrets.updateInterval') * 1000;
export const preferGet = () => config.getEnv('externalSecrets.preferGet');
export function isExternalSecretsEnabled() {
const license = Container.get(License);

View file

@ -5,6 +5,7 @@ import type { AxiosInstance, AxiosResponse } from 'axios';
import axios from 'axios';
import { Logger } from '@/Logger';
import { EXTERNAL_SECRETS_NAME_REGEX } from '../constants';
import { preferGet } from '../externalSecretsHelper.ee';
import { Container } from 'typedi';
type VaultAuthMethod = 'token' | 'usernameAndPassword' | 'appRole';
@ -422,10 +423,14 @@ export class VaultProvider extends SecretsProvider {
listPath += path;
let listResp: AxiosResponse<VaultResponse<VaultSecretList>>;
try {
listResp = await this.#http.request<VaultResponse<VaultSecretList>>({
url: listPath,
const shouldPreferGet = preferGet();
const url = `${listPath}${shouldPreferGet ? '?list=true' : ''}`;
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
method: 'LIST' as any,
const method = shouldPreferGet ? 'GET' : ('LIST' as any);
listResp = await this.#http.request<VaultResponse<VaultSecretList>>({
url,
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
method,
});
} catch {
return null;

View file

@ -1032,6 +1032,12 @@ export const schema = {
env: 'N8N_EXTERNAL_SECRETS_UPDATE_INTERVAL',
doc: 'How often (in seconds) to check for secret updates.',
},
preferGet: {
format: Boolean,
default: false,
env: 'N8N_EXTERNAL_SECRETS_PREFER_GET',
doc: 'Whether to prefer GET over LIST when fetching secrets from Hashicorp Vault.',
},
},
deployment: {