search

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
471 stars 102 forks source link

Vault's secret are simply copied on k8s's secrets as base64 json #914

Closed jdafda closed 2 months ago

jdafda commented 2 months ago

I am following this document

https://developer.hashicorp.com/vault/tutorials/kubernetes/vault-secrets-operator

vault kv put kvv2/webapp/config username="static-user" password="static-password"
{
  "request_id": "80cfc964-5175-fbf3-3cc2",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "data": {
      "password": "static-password",
      "username": "static-user"
    },
    "metadata": {
      "created_time": "2024-09-12T14:29:50.312667844Z",
      "custom_metadata": null,
      "deletion_time": "",
      "destroyed": false,
      "version": 7
    }
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null,
  "mount_type": "kv"
}

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: vaultstaticsecret-sample
  namespace: springboot-app
spec:
  destination:
    transformation:
      excludeRaw: true
    create: true
    name: app-secrets
    overwrite: true
    type: "Opaque"
  hmacSecretData: true
  mount: kvv2
  path: webapp/config
  refreshAfter: 30s
  type: kv-v2
  vaultAuthRef: vaultauth-sample

Resulting K8s Secret

kind: Secret
apiVersion: v1
metadata:
  name: app-secrets
  namespace: springboot-app
  labels:
    app.kubernetes.io/component: secret-sync
    app.kubernetes.io/managed-by: hashicorp-vso
    app.kubernetes.io/name: vault-secrets-operator
    secrets.hashicorp.com/vso-ownerRefUID: e9e6e8b3-2174-48c9-a2ac-ad32e6dfaa1a
  ownerReferences:
    - apiVersion: secrets.hashicorp.com/v1beta1
      kind: VaultStaticSecret
      name: vaultstaticsecret-sample
      uid: e9e6e8b3-2174-48c9-a2ac-ad32e6dfaa1a
data:
  data: eyJwYXNzd29yZCI6InN0YXRpYy1wYXNzd29yZCIsInVzZXJuYW1lIjoic3RhdGljLXVzZXIifQ==
type: Opaque
base64 -d <<< eyJwYXNzd29yZCI6InN0YXRpYy1wYXNzd29yZCIsInVzZXJuYW1lIjoic3RhdGljLXVzZXIifQ==                                                                                                               
{"password":"static-password","username":"static-user"}%

Expected K8s Secret

kind: Secret
apiVersion: v1
metadata:
  name: app-secrets
  namespace: springboot-app
  labels:
    app.kubernetes.io/component: secret-sync
    app.kubernetes.io/managed-by: hashicorp-vso
    app.kubernetes.io/name: vault-secrets-operator
    secrets.hashicorp.com/vso-ownerRefUID: 778d0ca0-56de-495e-bec6-7e8129121f39
  ownerReferences:
    - apiVersion: secrets.hashicorp.com/v1beta1
      kind: VaultStaticSecret
      name: vaultstaticsecret-sample
      uid: 778d0ca0-56de-495e-bec6-7e8129121f39
data:
  password: c3RhdGljLXBhc3N3b3Jk
  username: c3RhdGljLXVzZXI=
type: Opaque

Also Tried Interactive Terminal and it was working as expected.

Environment :

jdafda commented 2 months ago

Opened Enterprise support ticket , hence closing this