Remco not reading JSON secret from Vault

Question

Remco not reading JSON secret from Vault

pwyatt87 opened this issue 2 years ago · comments

I have a json secret stored in vault that I'm trying to read with remco.

$ vault kv get /tenant/AdamsAndSons-8/app1/properties
====== Data ======
Key          Value
---          -----
093 KKQ      true
1-74144      true
877 WHM      false
ZBD 291      true
ZDP 140      true
workflows    [map[workflowName:workflow-1 workflowTenantName:Adams and Sons 1] map[workflowName:workflow-2 workflowTenantName:Adams and Sons 2] map[workflowName:workflow-3 workflowTenantName:Adams and Sons 3]]

Remco doesn't pick it up when I try to read it. Here's the template function I'm using to pull it down:

{% with get("/tenant/AdamsAndSons-8/app1/properties") as dat %}
I'm getting this error:

createStageFileAndSync failed: create stage file failed: template execution failed: [Error (where: execution) in ./config.json.toml | Line 1 Col 9 near 'get'] key does not exist: /tenant/AdamsAndSons-8/app1/properties
I believe it's caused by this delete() on JSON secrets in easyKV:

https://github.com/HeavyHorst/easykv/blob/master/vault/client.go#L225

Here's my config.toml just for completeness

################################################################
# Global configuration
################################################################
log_level = "trace"
log_format = "text"
################################################################
# Resource configuration
################################################################
[[resource]]
  [[resource.template]]
    src = "./config.json.toml"
    dst = "config.json"
  [resource.backend]
    [resource.backend.vault]
      node =   "http://localhost:8200"
      keys = [ "tenant" ]
      auth_type = "token"
      auth_token =  "my token"
      interval = 10
      onetime=true

Rene Kaufmann · Answer 1 · Sat Aug 20 2022 03:55:57 GMT+0800 (China Standard Time)

What is the output of:

{% for kv in gets("/rust/cfg/*") %}
{{ kv.Key }} {{ kv.Value }}
{% endfor %}

?

All keys start with "/" so it should be
keys = [ "/tenant" ]

Paul Wyatt · Answer 2 · Sat Aug 20 2022 06:16:19 GMT+0800 (China Standard Time)

Sorry, you're right about the preceding /.

Here's the /rust/cfg key in vault:

/ $ vault kv get /rust/cfg/foo
=== Data ===
Key    Value
---    -----
bar    map[baz:bat]

Here's my config.toml to pull that key:

################################################################
# Global configuration
################################################################
log_level = "trace"
log_format = "text"
################################################################
# Resource configuration
################################################################
[[resource]]
  [[resource.template]]
    src = "./config.json.toml"
    dst = "config.json"
  [resource.backend]
    [resource.backend.vault]
      node =   "http://localhost:8200"
      keys = [ "/rust" ]
      auth_type = "token"
      auth_token =  "my token"
      interval = 10
      onetime=true

Here's the template file:

{% for kv in gets("/rust/cfg/*") %}
{{ kv.Key }} {{ kv.Value }}
{% endfor %}

This produces an empty config.json file for me. If i remove that line line the easyKV repo and rebuild, i get this:

→ cat config.json
/rust/cfg/foo {"bar":{"baz":"bat"}}

Rene Kaufmann · Answer 3 · Sat Aug 20 2022 13:40:07 GMT+0800 (China Standard Time)

Can you try {% for kv in getallkvs()) %} {{ kv.Key }} {{ kv.Value }} {% endfor %} I expect there to be /rust/cfg/foo/bar/baz bat because the keyspace is flattened. Note to myself: getallkvs should be documented Paul Wyatt ***@***.***> schrieb am Sa., 20. Aug. 2022, 00:16:

…

Sorry, you're right about the preceding /. Here's the /rust/cfg key in vault: / $ vault kv get /rust/cfg/foo === Data === Key Value --- ----- bar map[baz:bat] Here's my config.toml to pull that key: ################################################################ # Global configuration ################################################################ log_level = "trace" log_format = "text" ################################################################ # Resource configuration ################################################################ [[resource]] [[resource.template]] src = "./config.json.toml" dst = "config.json" [resource.backend] [resource.backend.vault] node = "http://localhost:8200" keys = [ "/rust" ] auth_type = "token" auth_token = "my token" interval = 10 onetime=true Here's the template file: {% for kv in gets("/rust/cfg/*") %} {{ kv.Key }} {{ kv.Value }} {% endfor %} This produces an empty config.json file for me. If i remove that line line the easyKV repo and rebuild, i get this: → cat config.json /rust/cfg/foo {"bar":{"baz":"bat"}} — Reply to this email directly, view it on GitHub <#87 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEAVZ427ICQLVK7NB3RBVQ3V2ABT3ANCNFSM57BE2DLQ> . You are receiving this because you commented.Message ID: ***@***.***>

Paul Wyatt · Answer 4 · Sun Aug 21 2022 02:36:58 GMT+0800 (China Standard Time)

Ok, that returned:

/rust/cfg/foo/bar/baz bat