Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error occurs when generating secrets from Vault file with nested credentials #25

Open
CCardosoDev opened this issue Mar 14, 2022 · 4 comments
Open

Error occurs when generating secrets from Vault file with nested credentials #25

CCardosoDev opened this issue Mar 14, 2022 · 4 comments

Comments

@CCardosoDev
Copy link

Let's assume that we have the following in Vault

Vault file path: /my-department/my-app-name/app/
Vault file content:

{
  "client": {
    "client_id": "my_client_id",
    "client_secret": "my_client_secret"
  },
  "sentry_dsn": "my-dsn"
}

Env var exposed to the container VAULT_SECRETS: /my-department/my-app-name/app/

Once the container executes the following error is thrown:

2022/02/24 15:01:35 Using annotation [ vault-app-my-department-my-app-name ] to detect managed secrets
2022/02/24 15:01:36 read /my-department/my-app-name/app/ from vault
panic: interface conversion: interface {} is map[string]interface {}, not string

goroutine 1 [running]:
main.(*syncConfig).synchronize(0xc000232dc0, 0x0, 0x0)
	/vgo/main.go:151 +0x103e
main.main()
	/vgo/main.go:55 +0xf5

While if I have

Vault file content:

{
  "client_secret": "my_client_secret"
  "sentry_dsn": "my-dsn"
}

The container executes successfully creating the expected secret resource.

I have tested this with multiple versions of the container, including v0.2.5 which is the latest version at the moment of creation of this issue.

Which leaves me to the conclusion that this container does not support nested credentials.
Are you aware of this issue? Would you consider this an easy fix?

Thanks in advance for you attention.
@CCardosoDev CCardosoDev changed the title Generation of secrets from Vault file with nested credentials errors Error occurs when generating secrets from Vault file with nested credentials Mar 14, 2022
@marcsauter
Copy link
Contributor

@CCardosoDev

How do you expect to map the nested credentials to k8s secrets?

Vault:

{
  "client": {
    "client_id": "my_client_id",
    "client_secret": "my_client_secret"
  },
  "sentry_dsn": "my-dsn"
}

k8s plain (how to resolve name clashes?):

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client_id: <base64 encoded string>
  client_secret: <base64 encoded string>

k8s scoped:

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client.client_id: <base64 encoded string>
  client.client_secret: <base64 encoded string>

k8s embedded:

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client: <base64 encoded json>

@CCardosoDev
Copy link
Author

@marcsauter thanks a lot for your quick response.

Very good question you made, I'd think that the most intuitive for me would be to have it exposed as "k8s embedded", so the last option. Like that it is in accordance with what is available in Vault and we don't alter in any way the file content.

@marcsauter
Copy link
Contributor

https://github.com/postfinance/vault-kubernetes/tree/decode with an issue I hope to solve soon, but most cases work.

@picnic-sven
Copy link

Bumping this thread for visibility. This would be a very handy feature for us 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcsauter @CCardosoDev @picnic-sven