foreman_vault icon indicating copy to clipboard operation
foreman_vault copied to clipboard

Published 20 hours ago verified publisher icon dm-drogeriemarkt

Vault kv v2 compatibility?

Open gardar opened this issue 2 years ago • 4 comments

It seems that kv version 2 is unsupported currently.

Failed to initialize: ForemanVault::VaultClient::NoDataError - ERF37-7090 [ForemanVault::VaultClient::NoDataError]: ERF37-5383 [ForemanVault::VaultClient::NoDataError]: There is no available data for path: kv/test

Any chance support for v2 could be added?

In the meantime I've added #49 to save others from headache

gardar avatar May 13 '22 13:05 gardar

As a workaround you could try to add /data/ to the secret path:

# working for KV1 stores
/secret/foo/bar

# working for KV2 stores
/secret/data/foo/bar

However, we should implement a switch anyway.

laugmanuel avatar May 13 '22 14:05 laugmanuel

Good point, that works.

With that being said kv v2 returns metadata as well which might/might not be wanted. To combat that it would be helpful if it were possible to pass the -field flag to vault to get a specific value. Or is that perhaps already possible with some magic?

gardar avatar May 13 '22 15:05 gardar

Currently, this is not possible out of the box. We could add a optional parameter to the fetch_secret macro to specify the desired key.

Just for documentation purposes: these is the format of the response when querying KV1 vs. KV2:

# KV1
irb(main):015:0> Vault.logical.read("kv_test/path/to/secret").data
=> {:testkey=>"testvaluekv1"}

# KV2
irb(main):014:0> Vault.logical.read("kv2_test/data/path/to/secret").data
=> {:data=>{:testkey=>"testvaluekv2"}, :metadata=>{:created_time=>"2022-05-13T07:40:20.427891228Z", :custom_metadata=>nil, :deletion_time=>"", :destroyed=>false, :version=>1}}

laugmanuel avatar Jun 13 '22 14:06 laugmanuel

A filter parameter would be nice, but as you hinted it's already possible to do the filtering within the erb macro, so perhaps it's unnecessary to add the filter parameter or at least doesn't have to be high on the priority list.

# Unfiltered
<%= vault_secret('MyVault', 'kv2/data/my_secret') %>

{:data=>{:color=>"blue", :number=>"eleventeen"}, :metadata=>{:created_time=>"2022-05-13T14:42:18.949064761Z", :custom_metadata=>nil, :deletion_time=>"", :destroyed=>false, :version=>1}}


# Accessing data
<%= vault_secret('MyVault', 'kv2/data/my_secret')[:data] %>

{:color=>"blue", :number=>"eleventeen"}

# Accessing color key from data
<%= vault_secret('MyVault', 'kv2/data/my_secret')[:data][:color] %>

blue


# Filtering and converting to json
<%= to_json(vault_secret('MyVault', 'kv2/data/my_secret'))[:data] %>

{
  "color": "blue",
  "number": "eleventeen"
}

gardar avatar Jun 14 '22 11:06 gardar