Giters

hashicorp / vault-csi-provider

HashiCorp Vault Provider for Secret Store CSI Driver

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Provider writes `null` if key does not exist at the secret path

sarahhenkens opened this issue · comments

commented

Steps to reproduce

Mount a K/V secret at /foo/bar containing the following:

{
  "baz": 42
}

Create the following SecretProviderClass:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: my-spc
spec:
  provider: vault
  parameters:
    roleName: vault
    objects: |
      - objectName: "something-name"
        secretPath: "foo/bar"
        secretKey: "non-existing-key"

Expected:

The pod to not boot up since foo/bar/non-existing-key does not exist in vault.

What is happening:

The provider.keyFromData fails to fail and returns a null value. Which it renders on the filesystem path as if the secret contains a concrete null value.

The pod continues to start with a false-positive match of the secret provider class mount path.

⚠️ High Risk:

Imagine an application relies on /super/secret/password path and a human operator creates a typo on that path and writes passsword instead. The CSI Provider will render null for the password of the application. This could lead to failure in setting an actual password.