vault-kubernetes icon indicating copy to clipboard operation
vault-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon postfinance

Error occurs when generating secrets from Vault file with nested credentials

Open CCardosoDev opened this issue 2 years ago • 4 comments

Let's assume that we have the following in Vault

Vault file path: /my-department/my-app-name/app/ Vault file content:

{
  "client": {
    "client_id": "my_client_id",
    "client_secret": "my_client_secret"
  },
  "sentry_dsn": "my-dsn"
}

Env var exposed to the container VAULT_SECRETS: /my-department/my-app-name/app/

Once the container executes the following error is thrown:

2022/02/24 15:01:35 Using annotation [ vault-app-my-department-my-app-name ] to detect managed secrets
2022/02/24 15:01:36 read /my-department/my-app-name/app/ from vault
panic: interface conversion: interface {} is map[string]interface {}, not string

goroutine 1 [running]:
main.(*syncConfig).synchronize(0xc000232dc0, 0x0, 0x0)
	/vgo/main.go:151 +0x103e
main.main()
	/vgo/main.go:55 +0xf5

While if I have

Vault file content:

{
  "client_secret": "my_client_secret"
  "sentry_dsn": "my-dsn"
}

The container executes successfully creating the expected secret resource.

I have tested this with multiple versions of the container, including v0.2.5 which is the latest version at the moment of creation of this issue.

Which leaves me to the conclusion that this container does not support nested credentials. Are you aware of this issue? Would you consider this an easy fix?

Thanks in advance for you attention.

CCardosoDev avatar Mar 14 '22 17:03 CCardosoDev

@CCardosoDev

How do you expect to map the nested credentials to k8s secrets?

Vault:

{
  "client": {
    "client_id": "my_client_id",
    "client_secret": "my_client_secret"
  },
  "sentry_dsn": "my-dsn"
}

k8s plain (how to resolve name clashes?):

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client_id: <base64 encoded string>
  client_secret: <base64 encoded string>

k8s scoped:

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client.client_id: <base64 encoded string>
  client.client_secret: <base64 encoded string>

k8s embedded:

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client: <base64 encoded json>

marcsauter avatar Mar 14 '22 21:03 marcsauter

@marcsauter thanks a lot for your quick response.

Very good question you made, I'd think that the most intuitive for me would be to have it exposed as "k8s embedded", so the last option. Like that it is in accordance with what is available in Vault and we don't alter in any way the file content.

CCardosoDev avatar Mar 15 '22 10:03 CCardosoDev

https://github.com/postfinance/vault-kubernetes/tree/decode with an issue I hope to solve soon, but most cases work.

marcsauter avatar Apr 11 '22 14:04 marcsauter

Bumping this thread for visibility. This would be a very handy feature for us 😄

picnic-sven avatar Apr 19 '23 13:04 picnic-sven