Comments (7)
tomhjp
commented on May 20, 2024
3
The TL;DR here is that you've arrived at the correct solution, and we have no plans to change how that works. Read on for more context and detail.
Previously, the provider only supported KV secret engines, and did automatic detection of which KV version (1 or 2) was in use, and inserted a data/ element into the path accordingly. See the docs for reading KV v2 secret contents for context on why there is a data/ element at all. This feature also required an additional round trip to Vault and extra permissions to query the API endpoint that advertises which version of KV is in use.
As part of adding support for all secret engines to the provider, we removed that feature, and the path specified in the CRD is always what the provider will use for its API query. See #35 for some additional context too. Elsewhere in the Vault ecosystem, there are KV v2-aware examples where the data/ element is not required, such as vault kv get ssv/operator, which understandably causes a little confusion, but I'd recommend using the API docs as the reference point for what paths you set in the CRD. Note that in the CLI, you can also use vault read ssv/data/operator, and so the raw read/write etc sub-commands are the closer analogue to what the CSI provider is doing. Hope this helps clear it up!
from vault-csi-provider.
seboudry
commented on May 20, 2024
1
Thanks @tomhjp for this explanation.
Addind data/ was exactly the solution found yesterday around the same time after hours of investigation and troubleshooting 😄
from vault-csi-provider.
ArchiFleKs
commented on May 20, 2024
I seems to work with :
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: ssv-node
namespace: ssv
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault:8200"
roleName: "ssv-node"
objects: |
- objectName: operator-key
secretPath: ssv/data/operator
secretKey: SK
secretObjects:
- data:
- key: SK
objectName: operator-key
secretName: ssv-node
type: Opaque
from vault-csi-provider.
gtaylor
commented on May 20, 2024
I wonder whether this may break in the future if we manually stick that data in there :/
from vault-csi-provider.
ArchiFleKs
commented on May 20, 2024
@gtaylor what is the proper way of mounting secret with kv v2?
from vault-csi-provider.
gtaylor
commented on May 20, 2024
I think there's a bug, so this may be the only way. Once the bug is fixed, our workaround may no longer work.
I'm using the same workaround, not trying to suggest an alternative (I don't know of any, aside from fixing the bug).
from vault-csi-provider.
artificial-aidan
commented on May 20, 2024
Would be nice if this was called out in the examples somewhere. I am comparing the vault injector to the vault csi provider, and one requires /data/ and the other does not. Glad I found this issue. I guess technically it is captured in the getting started docs but maybe it could be emphasized.
from vault-csi-provider.
Related Issues (20)
- volume mode "Ephemeral" not supported by driver secrets-store.csi.k8s.io (no CSIDriver object) HOT 7
- Docker image not uploaded to ECR public HOT 2
- Running Cloud Control Manager in vcluster HOT 1
- Failed to mount vault secrets store objects through Container Storage Interface (CSI) Volume HOT 2
- Vault provider not found , inter cluster connection . HOT 1
- Vulnerabilites in v1.2.0 of vault-csi-provider image HOT 1
- Permission denied when trying to access secret from vault on another kubernetes cluster . HOT 2
- Use the sync to secret feature without a pod mount? HOT 1
- Implicit mapping of secrets / objects - SecretProviderClass HOT 2
- vault-csi-provider Pod throws cannot unmarshal !!map into []config.Secret HOT 2
- Feature request: Ability to consume entire secret data rather than just a single key
- Extra fields
- Can the dynamic secrets auto renew as long as the pod is alive HOT 8
- Updating the values in the KV Secrets Engine HOT 1
- mounting from Vault fails with "invalid role name" HOT 2
- Support for AppRole auth method
- User vault-csi-provider cannot create resource serviceaccounts token
- "aud" claim should be list, not string HOT 4
- Lease cache not working for PKI engine HOT 5
- Need to release new version as crypto CVE is fixed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-csi-provider.