hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
469 stars 102 forks source link

Add explodeMap templating function #912

Open hamishforbes opened 1 month ago

hamishforbes commented 1 month ago

Is your feature request related to a problem? Please describe. I'm looking at migrating from a setup where I use consul-template to fetch and then template Vault secrets (via the Vault Agent sidecar) into my application pods before launching the actual application process.

My apps generally consume JSON formatted config files with deeply nested structures.

The solution we've got now is to create fields in the Vault secret with / separated names and use the consul template explodeMap function to expand these out to a nested map, which can then be converted to JSON

e.g. Vault secret

> vault kv get secret/foobar
...snip
============== Data ==============
Key                          Value
---                          -----
foo/bar/baz                  qux
foo/a/b                      c

template

{{- with secret "secret/foobar" -}}
{{- range $k, $v := .Data.data -}}
{{- scratch.MapSet "vars" $k $v -}}
{{- end -}}
{{- end -}}
{{ scratch.Get "vars" | explodeMap | toJSONPretty }}

json result

{
  "foo": {
    "bar": {
      "baz": "qux"
    },
    "a": {
      "b": "c"
    }
  }
}

Describe the solution you'd like An equivalent function in VSO so that I can do something like

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: foobar
  namespace: default
spec:
  destination:
    create: true
    name: foobar
    transformation:
      excludes:
      - .*
      templates:
        vault.json:
          text: |
            {{ .Secrets | explodeMap | toPrettyJson }}
  mount: /secret
  path: foobar
  type: kv-v2
  vaultAuthRef: foobar

Describe alternatives you've considered If there's a way to do this with the available functions that'd be great too, especially if i can abstract it out into a shared SecretTransformation. I haven't been able to figure out a way though, splitn maybe?

hamishforbes commented 1 month ago

Ah of course, I think i've figured it out with the existing sprig functions, its not too pretty or easy to understand but... In case anyone else has a similar use case this seems to be working for me

{{- $s := dict }}
{{- $i := dict }}
{{- range $key, $value := .Secrets }}
  {{- $splitkey := splitList "/" $key }}
  {{- $i = $s -}}
  {{- range $k, $v := $splitkey }}
    {{- if eq $k ( sub (len $splitkey) 1) }}
      {{- $_ := set $i $v $value }}
    {{- else -}}
      {{- if not (hasKey $i $v) }} {{- $_ := set $i $v (dict) }} {{- end }}
      {{- $i = get $i $v }}
    {{- end }}
  {{- end }}
{{- end -}}
{{ $s | toPrettyJson }}