SecretStore Hashicorp Vault - inconsistent path re-write #1604
Description
Describe the solution you'd like
Consistency in when data is pre-pended to a vault path.
Observations (Constraints, Context, etc):
I believe this is related to #1333
When we have the word data anywhere in our vault path we see an inconsistent behavior. We started seeing this behavior when we upgraded from 0.3.5 -> 0.5.9
SecretStore
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: my-store
namespace: my-namespace
spec:
provider:
vault:
server: vault-server
path: "secrets"
version: "v2"
auth:
kubernetes:
mountPath: my-mount-path
role: my-role
serviceAccountRef:
name: my-sa
ExternalSecret
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: my-es
namespace: my-namespace
spec:
secretStoreRef:
name: my-store
kind: SecretStore
target:
name: my-secret
data:
- secretKey: my-key
remoteRef:
key: "cluster1/data/my-secret"
property: my-property
This attempts to pull secrets/cluster1/data/my-secret but the expected path is secrets/data/cluster1/data/my-secret.
This secretstore setup however correctly requests anything without data in it's path for example:
- secretKey: my-key
remoteRef:
key: "cluster1/passwords/my-secret"
property: my-property
This would successfully request secrets/data/cluster1/passwords/my-secret
A fix to make this work is to make the vault path secrets/data but this breaks any other secrets from the secretstore that don't have data in the path. The only way to get this working was to create a second secretstore in the namespace and create separate externalsecret objects depending on if data is in the path.
Let me know if more details are required I attempted to show a complete picture while being concise.
Metadata
Metadata
Assignees
Type
Projects
Status