)]}'
{"castellan/key_manager/vault_key_manager.py":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"c143f2b8c1cd870a264f9fdb01945c907b1b36ed","unresolved":true,"context_lines":[{"line_number":65,"context_line":"        secret\u003dTrue,"},{"line_number":66,"context_line":"        help\u003d\u0027AppRole secret_id for authentication with vault\u0027,"},{"line_number":67,"context_line":"    ),"},{"line_number":68,"context_line":"    cfg.StrOpt("},{"line_number":69,"context_line":"        \u0027kubernetes_role\u0027,"},{"line_number":70,"context_line":"        help\u003d\u0027Vault role name for Kubernetes auth method. \u0027"},{"line_number":71,"context_line":"        \u0027Setting this option enables Kubernetes authentication \u0027"},{"line_number":72,"context_line":"        \u0027with Vault.\u0027,"},{"line_number":73,"context_line":"    ),"},{"line_number":74,"context_line":"    cfg.StrOpt("},{"line_number":75,"context_line":"        \u0027kubernetes_auth_mount\u0027,"},{"line_number":76,"context_line":"        default\u003d\u0027kubernetes\u0027,"},{"line_number":77,"context_line":"        help\u003d\u0027Mount path of the Kubernetes auth method in Vault \u0027"},{"line_number":78,"context_line":"        \u0027(e.g. \"kubernetes\" or \"kubernetes-my-cluster\"). \u0027"},{"line_number":79,"context_line":"        \u0027Defaults to \"kubernetes\".\u0027,"},{"line_number":80,"context_line":"    ),"},{"line_number":81,"context_line":"    cfg.StrOpt("},{"line_number":82,"context_line":"        \u0027kubernetes_sa_token_path\u0027,"},{"line_number":83,"context_line":"        default\u003d_DEFAULT_K8S_SA_TOKEN_PATH,"},{"line_number":84,"context_line":"        help\u003d\u0027Path to the Kubernetes ServiceAccount token file \u0027"},{"line_number":85,"context_line":"        \u0027used for Vault login. Defaults to the standard \u0027"},{"line_number":86,"context_line":"        \u0027projected token path.\u0027,"},{"line_number":87,"context_line":"    ),"},{"line_number":88,"context_line":"    cfg.StrOpt("},{"line_number":89,"context_line":"        \u0027kv_mountpoint\u0027,"},{"line_number":90,"context_line":"        default\u003d_DEFAULT_MOUNTPOINT,"}],"source_content_type":"text/x-python","patch_set":2,"id":"3ea7090c_c02309c8","line":87,"range":{"start_line":68,"start_character":15,"end_line":87,"end_character":6},"updated":"2026-06-12 15:21:30.000000000","message":"Can we make these option more generic and independent from deployment-mechanism ? This is quite too much adopted to a specific deployment pattern and I don\u0027t even think this is the only pattern we expect in k8s.\n\nFor example kubernetes_auth_mount can be auth path option","commit_id":"1cbf1872cd36f26fc645dec38d011e21452b241b"},{"author":{"_account_id":10273,"name":"Adam Harwell","email":"flux.adam@gmail.com","username":"rm_you"},"change_message_id":"fe64ea88a9e47aac42bcd97d5fca19e4f7ff06b6","unresolved":true,"context_lines":[{"line_number":65,"context_line":"        secret\u003dTrue,"},{"line_number":66,"context_line":"        help\u003d\u0027AppRole secret_id for authentication with vault\u0027,"},{"line_number":67,"context_line":"    ),"},{"line_number":68,"context_line":"    cfg.StrOpt("},{"line_number":69,"context_line":"        \u0027kubernetes_role\u0027,"},{"line_number":70,"context_line":"        help\u003d\u0027Vault role name for Kubernetes auth method. \u0027"},{"line_number":71,"context_line":"        \u0027Setting this option enables Kubernetes authentication \u0027"},{"line_number":72,"context_line":"        \u0027with Vault.\u0027,"},{"line_number":73,"context_line":"    ),"},{"line_number":74,"context_line":"    cfg.StrOpt("},{"line_number":75,"context_line":"        \u0027kubernetes_auth_mount\u0027,"},{"line_number":76,"context_line":"        default\u003d\u0027kubernetes\u0027,"},{"line_number":77,"context_line":"        help\u003d\u0027Mount path of the Kubernetes auth method in Vault \u0027"},{"line_number":78,"context_line":"        \u0027(e.g. \"kubernetes\" or \"kubernetes-my-cluster\"). \u0027"},{"line_number":79,"context_line":"        \u0027Defaults to \"kubernetes\".\u0027,"},{"line_number":80,"context_line":"    ),"},{"line_number":81,"context_line":"    cfg.StrOpt("},{"line_number":82,"context_line":"        \u0027kubernetes_sa_token_path\u0027,"},{"line_number":83,"context_line":"        default\u003d_DEFAULT_K8S_SA_TOKEN_PATH,"},{"line_number":84,"context_line":"        help\u003d\u0027Path to the Kubernetes ServiceAccount token file \u0027"},{"line_number":85,"context_line":"        \u0027used for Vault login. Defaults to the standard \u0027"},{"line_number":86,"context_line":"        \u0027projected token path.\u0027,"},{"line_number":87,"context_line":"    ),"},{"line_number":88,"context_line":"    cfg.StrOpt("},{"line_number":89,"context_line":"        \u0027kv_mountpoint\u0027,"},{"line_number":90,"context_line":"        default\u003d_DEFAULT_MOUNTPOINT,"}],"source_content_type":"text/x-python","patch_set":2,"id":"449adb99_b27346b0","line":87,"range":{"start_line":68,"start_character":15,"end_line":87,"end_character":6},"in_reply_to":"3ea7090c_c02309c8","updated":"2026-06-12 16:09:32.000000000","message":"Actually I hadn\u0027t seen it as being so generic (was definitely aiming for k8s specific), but now that you mention it, this really would essentially work for other deployment methods by just overloading these opts... I\u0027ll see if I can do the work to make it slightly more generic (though the only Vault I have access to is via a pretty specific k8s auth so I may need help verifying it works generically).","commit_id":"1cbf1872cd36f26fc645dec38d011e21452b241b"},{"author":{"_account_id":10273,"name":"Adam Harwell","email":"flux.adam@gmail.com","username":"rm_you"},"change_message_id":"ee3ea19481097b2649578b299c8db4c34a074ff3","unresolved":false,"context_lines":[{"line_number":65,"context_line":"        secret\u003dTrue,"},{"line_number":66,"context_line":"        help\u003d\u0027AppRole secret_id for authentication with vault\u0027,"},{"line_number":67,"context_line":"    ),"},{"line_number":68,"context_line":"    cfg.StrOpt("},{"line_number":69,"context_line":"        \u0027kubernetes_role\u0027,"},{"line_number":70,"context_line":"        help\u003d\u0027Vault role name for Kubernetes auth method. \u0027"},{"line_number":71,"context_line":"        \u0027Setting this option enables Kubernetes authentication \u0027"},{"line_number":72,"context_line":"        \u0027with Vault.\u0027,"},{"line_number":73,"context_line":"    ),"},{"line_number":74,"context_line":"    cfg.StrOpt("},{"line_number":75,"context_line":"        \u0027kubernetes_auth_mount\u0027,"},{"line_number":76,"context_line":"        default\u003d\u0027kubernetes\u0027,"},{"line_number":77,"context_line":"        help\u003d\u0027Mount path of the Kubernetes auth method in Vault \u0027"},{"line_number":78,"context_line":"        \u0027(e.g. \"kubernetes\" or \"kubernetes-my-cluster\"). \u0027"},{"line_number":79,"context_line":"        \u0027Defaults to \"kubernetes\".\u0027,"},{"line_number":80,"context_line":"    ),"},{"line_number":81,"context_line":"    cfg.StrOpt("},{"line_number":82,"context_line":"        \u0027kubernetes_sa_token_path\u0027,"},{"line_number":83,"context_line":"        default\u003d_DEFAULT_K8S_SA_TOKEN_PATH,"},{"line_number":84,"context_line":"        help\u003d\u0027Path to the Kubernetes ServiceAccount token file \u0027"},{"line_number":85,"context_line":"        \u0027used for Vault login. Defaults to the standard \u0027"},{"line_number":86,"context_line":"        \u0027projected token path.\u0027,"},{"line_number":87,"context_line":"    ),"},{"line_number":88,"context_line":"    cfg.StrOpt("},{"line_number":89,"context_line":"        \u0027kv_mountpoint\u0027,"},{"line_number":90,"context_line":"        default\u003d_DEFAULT_MOUNTPOINT,"}],"source_content_type":"text/x-python","patch_set":2,"id":"76f00005_e059da38","line":87,"range":{"start_line":68,"start_character":15,"end_line":87,"end_character":6},"in_reply_to":"449adb99_b27346b0","updated":"2026-06-12 16:20:30.000000000","message":"Done -- kind of amazed that\u0027s all that we needed to make it truly generic.","commit_id":"1cbf1872cd36f26fc645dec38d011e21452b241b"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"f8c7ad2eca7314f0fc4c39cbe5bc73f8c04c55cf","unresolved":false,"context_lines":[{"line_number":102,"context_line":"    cfg.URIOpt("},{"line_number":103,"context_line":"        \u0027vault_url\u0027,"},{"line_number":104,"context_line":"        default\u003d_DEFAULT_VAULT_URL,"},{"line_number":105,"context_line":"        schemes\u003d(\u0027http\u0027, \u0027https\u0027),"},{"line_number":106,"context_line":"        help\u003d\u0027Use this endpoint to connect to Vault\u0027,"},{"line_number":107,"context_line":"    ),"},{"line_number":108,"context_line":"    cfg.StrOpt(\u0027ssl_ca_crt_file\u0027, help\u003d\u0027Absolute path to ca cert file\u0027),"}],"source_content_type":"text/x-python","patch_set":2,"id":"c9a12ea3_6e1c4145","line":105,"updated":"2026-06-11 23:32:06.000000000","message":"pep8: error: Argument \"schemes\" to \"URIOpt\" has incompatible type \"tuple[str, str]\"; expected \"list[str] | None\"  [arg-type]","commit_id":"1cbf1872cd36f26fc645dec38d011e21452b241b"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"a6da14d1e96d64112514a455c612c4740940dec5","unresolved":true,"context_lines":[{"line_number":72,"context_line":"        \u0027enables token file authentication with Vault.\u0027,"},{"line_number":73,"context_line":"    ),"},{"line_number":74,"context_line":"    cfg.StrOpt("},{"line_number":75,"context_line":"        \u0027token_auth_mount\u0027,"},{"line_number":76,"context_line":"        default\u003d\u0027kubernetes\u0027,"},{"line_number":77,"context_line":"        help\u003d\u0027Mount path of the token-based auth method in \u0027"},{"line_number":78,"context_line":"        \u0027Vault (e.g. \"kubernetes\", \"jwt\", \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"2165d88b_a6e59739","line":75,"range":{"start_line":75,"start_character":9,"end_line":75,"end_character":25},"updated":"2026-06-12 16:27:15.000000000","message":"\u0027mount\u0027 is confusing because it indicates filesystem path but it is actually a request path.\n\nI wonder if we can add auth_method option, which defaults to approle ? We can define `choices\u003d(\u0027approle\u0027, \u0027kubernetes\u0027)` to restrict methods for now","commit_id":"18def48b7b5ca75d5dfcfaa3d515221c9e1b0913"},{"author":{"_account_id":10273,"name":"Adam Harwell","email":"flux.adam@gmail.com","username":"rm_you"},"change_message_id":"a9ec8681e3f1d78ba5c421d19e3fd83a743123c0","unresolved":true,"context_lines":[{"line_number":72,"context_line":"        \u0027enables token file authentication with Vault.\u0027,"},{"line_number":73,"context_line":"    ),"},{"line_number":74,"context_line":"    cfg.StrOpt("},{"line_number":75,"context_line":"        \u0027token_auth_mount\u0027,"},{"line_number":76,"context_line":"        default\u003d\u0027kubernetes\u0027,"},{"line_number":77,"context_line":"        help\u003d\u0027Mount path of the token-based auth method in \u0027"},{"line_number":78,"context_line":"        \u0027Vault (e.g. \"kubernetes\", \"jwt\", \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"51ba49d3_ba28f3be","line":75,"range":{"start_line":75,"start_character":9,"end_line":75,"end_character":25},"in_reply_to":"2165d88b_a6e59739","updated":"2026-06-12 17:44:12.000000000","message":"Would you want \"approle\" and \"token\"? to keep things non-k8s-specific?","commit_id":"18def48b7b5ca75d5dfcfaa3d515221c9e1b0913"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"338232539c163cb4f5fbed8637ce06a004012347","unresolved":true,"context_lines":[{"line_number":72,"context_line":"        \u0027enables token file authentication with Vault.\u0027,"},{"line_number":73,"context_line":"    ),"},{"line_number":74,"context_line":"    cfg.StrOpt("},{"line_number":75,"context_line":"        \u0027token_auth_mount\u0027,"},{"line_number":76,"context_line":"        default\u003d\u0027kubernetes\u0027,"},{"line_number":77,"context_line":"        help\u003d\u0027Mount path of the token-based auth method in \u0027"},{"line_number":78,"context_line":"        \u0027Vault (e.g. \"kubernetes\", \"jwt\", \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"3be80abc_a58a705c","line":75,"range":{"start_line":75,"start_character":9,"end_line":75,"end_character":25},"in_reply_to":"51ba49d3_ba28f3be","updated":"2026-06-13 07:58:36.000000000","message":"I think it\u0027s ok to expose kubernetes here because that\u0027s within the context of auth method defined in vault. We could also add \u0027token\u0027 as a supported auth method.","commit_id":"18def48b7b5ca75d5dfcfaa3d515221c9e1b0913"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"a6da14d1e96d64112514a455c612c4740940dec5","unresolved":true,"context_lines":[{"line_number":81,"context_line":"    ),"},{"line_number":82,"context_line":"    cfg.StrOpt("},{"line_number":83,"context_line":"        \u0027token_file\u0027,"},{"line_number":84,"context_line":"        default\u003d_DEFAULT_TOKEN_FILE_PATH,"},{"line_number":85,"context_line":"        help\u003d\u0027Path to the token file used for Vault login \u0027"},{"line_number":86,"context_line":"        \u0027(e.g. a Kubernetes ServiceAccount token or a \u0027"},{"line_number":87,"context_line":"        \u0027JWT from an OIDC provider). Defaults to the \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"6247e3fa_41e33c0e","line":84,"range":{"start_line":84,"start_character":16,"end_line":84,"end_character":40},"updated":"2026-06-12 16:27:15.000000000","message":"I\u0027m against adding this kubernetes specific default here. Can we remove it and require explicitly passing it ?","commit_id":"18def48b7b5ca75d5dfcfaa3d515221c9e1b0913"},{"author":{"_account_id":10273,"name":"Adam Harwell","email":"flux.adam@gmail.com","username":"rm_you"},"change_message_id":"a9ec8681e3f1d78ba5c421d19e3fd83a743123c0","unresolved":true,"context_lines":[{"line_number":81,"context_line":"    ),"},{"line_number":82,"context_line":"    cfg.StrOpt("},{"line_number":83,"context_line":"        \u0027token_file\u0027,"},{"line_number":84,"context_line":"        default\u003d_DEFAULT_TOKEN_FILE_PATH,"},{"line_number":85,"context_line":"        help\u003d\u0027Path to the token file used for Vault login \u0027"},{"line_number":86,"context_line":"        \u0027(e.g. a Kubernetes ServiceAccount token or a \u0027"},{"line_number":87,"context_line":"        \u0027JWT from an OIDC provider). Defaults to the \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"bb8d14a4_828503fa","line":84,"range":{"start_line":84,"start_character":16,"end_line":84,"end_character":40},"in_reply_to":"6247e3fa_41e33c0e","updated":"2026-06-12 17:44:12.000000000","message":"Yeah, that\u0027s fine.","commit_id":"18def48b7b5ca75d5dfcfaa3d515221c9e1b0913"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"0a5cb4dc3bee8a82f849a9dba5e3a5789786b1f3","unresolved":false,"context_lines":[{"line_number":104,"context_line":"    cfg.URIOpt("},{"line_number":105,"context_line":"        \u0027vault_url\u0027,"},{"line_number":106,"context_line":"        default\u003d_DEFAULT_VAULT_URL,"},{"line_number":107,"context_line":"        schemes\u003d(\u0027http\u0027, \u0027https\u0027),"},{"line_number":108,"context_line":"        help\u003d\u0027Use this endpoint to connect to Vault\u0027,"},{"line_number":109,"context_line":"    ),"},{"line_number":110,"context_line":"    cfg.StrOpt(\u0027ssl_ca_crt_file\u0027, help\u003d\u0027Absolute path to ca cert file\u0027),"}],"source_content_type":"text/x-python","patch_set":3,"id":"c10bc2e7_f7d055f1","line":107,"updated":"2026-06-12 16:51:32.000000000","message":"pep8: error: Argument \"schemes\" to \"URIOpt\" has incompatible type \"tuple[str, str]\"; expected \"list[str] | None\"  [arg-type]","commit_id":"18def48b7b5ca75d5dfcfaa3d515221c9e1b0913"}]}