vault-config.yml contents is converted to JSON and doesn't affect application

[kirillplis]

Describe the bug: In vault-config Secret, vault-config.yml contents is converted into a JSON format before being encrypted, and being ignored by the application.

vault-config.yml:
  {{ .Values.vault.externalConfig | toPrettyJson | b64enc }}

Expected behaviour: vault-config.yml is kept in YAML format before encription.

vault-config.yml:
  {{ .Values.vault.externalConfig | toYaml | b64enc }}

Steps to reproduce the bug:

1. Try to change policy name or add another auth method to the externalConfig block:

   #   value: /etc/gcp/service-account.json
   externalConfig:
   # Allows creating policies in Vault which can be used later on in roles
   # for the Kubernetes based authentication.
   # See https://www.vaultproject.io/docs/concepts/policies.html for more information.
   policies:
     - name: test_allow_secrets
       rules: path "secret/*" {
         capabilities = ["create", "read", "update", "delete", "list"]
         }
   auth:
     - type: kubernetes
       # Allows creating roles in Vault which can be used later on for the Kubernetes based
       # authentication.
       # See https://www.vaultproject.io/docs/auth/kubernetes.html#creating-a-role for
       # more information.
       roles:
         # Allow every pod in the default namespace to use the secret kv store
         - name: default
           bound_service_account_names: default
           bound_service_account_namespaces: default
           policies: allow_secrets
           ttl: 1h
   secrets:
     - path: test-secret
       type: kv
       description: General secrets.
       options:
         version: 2

   This step should produce no changes to the policies/secrets/auth configuration.

2. Put same contents directly into the vault-config.yml file and observe the changes

   kubectl exec -it vault-0 -n vault -c vault -- sh
   echo YAML_CONFIG > vault/config/vault-config.yml
   cat vault/config/vault-config.yml

   This step should produce desired changes to the policies/secrets/auth configuration.

Environment details:

• Kubernetes version (e.g. v1.10.2): v1.26.5
• Cloud-provider/provisioner (e.g. AKS, GKE, EKS, PKE etc): EKS
• bank-vaults version (e.g. 0.4.17): 1.19.0
• Install method (e.g. helm or static manifests): Helm
• Logs from the misbehaving component (and any other relevant logs): Doesn't appear in logs
• Resource definition (possibly in YAML format) that caused the issue, without sensitive data:

  
  # Source: vault/charts/vault/templates/secret.yaml
  apiVersion: v1
  kind: Secret
  metadata:
  name: "vault-config"
  namespace: vault
  labels:
  helm.sh/chart: vault-1.17.0
  app.kubernetes.io/name: "vault"
  app.kubernetes.io/instance: "vault"
  app.kubernetes.io/managed-by: "Helm"
  data:
  config.json:
  ENCODED_DATA
  vault-config.yml:
  ENCODED_DATA

/kind bug

[kirillplis]

PR https://github.com/bank-vaults/vault-helm-chart/pull/16

[akijakya]

Hi @kirillplis, thank you for using Bank-Vaults!

I agree that vault-config.yml should not be a json based on the file extension 🙂

I don't quite understand step 1. though, as changing the config values in the Helm chart and then upgrading it (which should be a safe thing to do if you use consul or a bucket for storage backend) should result in changing the config just as fine (I tried it with an S3 bucket as storage).

If you'd like to get an even better experience configuring Vault, I would recommend using the vault-operator, which has a reconciliation loop to apply the changes in configuration to Vault provided in a custom resource!

[kirillplis]

Hi @akijakya, thank you for looking into this. I ran another test right now and you are totally correct, it works in json format too. Apparently, my config was off then I tested it, and I made a false conclusion that json format was the issue. I probably fixed the config during my investigation so at the moment I replaced vault-config.yml contents inside the pod with yaml version - it all worked.

Since it's resolved, and PR was merged - I'm closing this issue.