Provider writes `null` if key does not exist at the secret path
sarahhenkens opened this issue · comments
Steps to reproduce
Mount a K/V secret at /foo/bar
containing the following:
{
"baz": 42
}
Create the following SecretProviderClass
:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: my-spc
spec:
provider: vault
parameters:
roleName: vault
objects: |
- objectName: "something-name"
secretPath: "foo/bar"
secretKey: "non-existing-key"
Expected:
The pod to not boot up since foo/bar/non-existing-key
does not exist in vault.
What is happening:
The provider.keyFromData
fails to fail and returns a null
value. Which it renders on the filesystem path as if the secret contains a concrete null value.
The pod continues to start with a false-positive match of the secret provider class mount path.
⚠️ High Risk:
Imagine an application relies on /super/secret/password
path and a human operator creates a typo on that path and writes passsword
instead. The CSI Provider will render null
for the password of the application. This could lead to failure in setting an actual password.