-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support to Read Base64 format and Decode it in Secret - for storing Certificates #95
Comments
@adit0012m This is an interesting thought, we will look into if adding transformer helpers such as |
+1 we also have requirements to use vault to manage tls.crt and tls.key and would need the plugin to work with the above use case |
Once #96 gets merged, you will be able to load in a base64 encoded cert to vault and then use the data field to put into your cluster. For example:
Does that work for your use case? |
in the data field, is there going to be option to configure whether is base64 decode or raw? e.g.
|
@clcchai Not at this time. If you want to store a base64 encoded value in vault and have it be decoded in Kubernetes you would use the https://github.com/werne2j/argocd-example/blob/master/kubernetes/cert-sample.yaml And you can use |
@werne2j this would be fine for now to make basic functionalities work. sounds good. |
Changes are now available in https://github.com/IBM/argocd-vault-plugin/releases/tag/v0.6.0 |
@jkayani I should Thank everyone for the wonderful work.
We are expecting something similar. Describing few challenges as per my understanding and testing.
Tested the for both use cases,
The plugin does replace
data
key from Vault as-is ( but, Ref: then the plugin will base64 the Vault data before replacing the placeholder..). In our case, not the correct behaviour then.and
Expected
stringData
inside the key should replace value from Vault as-is which is not working.Configured yaml file looks as below:
Thoughts on this.
Expecting a new Feature or an Existing Options are not Aware
The plugin works perfectly fine with the plain text stored in Vault get's the value back in to the secret. Is there a way we can decode values present in a Vault secret path are encoded in the
base64
format at the secret end. This helps us to store certificate formats such as .crt, .pem etc...base64
encoded format in Vault secret path and values are decoded when retrieves it from Vault server. Just to give an example. Same is achieved using Consul Template to render the Vault secret with side car container Vault k8s auth method.Ex: ```{{with secret "secret/example"}} MyKey = {{.Data.data.MyKeyCerts | base64Decode}}{{end}}
So, is there any way we can decode base64 format data before it replaces the placeholder with the actual value --> something like
"<base64decode MyKey>".
Originally posted by @adit0012m in #92 (comment)
The text was updated successfully, but these errors were encountered: