Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Doesn't read secrets when SECRET_ENV_ suffix does not match the last part of the secret path #29

Closed
geekflyer opened this issue Jan 27, 2020 · 1 comment · Fixed by #33
Closed

Bug: Doesn't read secrets when SECRET_ENV_ suffix does not match the last part of the secret path #29

geekflyer opened this issue Jan 27, 2020 · 1 comment · Fixed by #33

Comments

@geekflyer
Copy link

geekflyer commented Jan 27, 2020
edited

I believe I found a bug in how daytona treats the names of environment variables when fetching individual secrets.

Consider I start daytona with those environment variables:

VAULT_SECRET_1: secret/application/myapp/service_account.json
DAYTONA_SECRET_DESTINATION_1: /secrets/service_account.json

What I would expect to happen is that daytona reads the key at secret/application/myapp/service_account.json and writes it's value to /secrets/service_account.json.

What actually happens is, well, basically nothing.
Daytona seems to silently skip reading / writing the key and the logs simply contain this:

DAYTONA - 2020/01/27 01:22:02 Starting secret fetch
DAYTONA - 2020/01/27 01:22:02 Certificate or private key output path is empty, will not attempt to get certificate

Through some extensive try-and-error I found that apparently daytona expects the suffix of the environment variable to match the last path of the vault secret path, in this case service_account.json.
In other words:

VAULT_SECRET_service_account.json: secret/application/myapp/service_account.json
DAYTONA_SECRET_DESTINATION_service_account.json: /secrets/service_account.json

works, but

VAULT_SECRET_1: secret/application/myapp/service_account.json
DAYTONA_SECRET_DESTINATION_1: /secrets/service_account.json

does not.

This is a bit surprising since the docs here https://github.com/cruise-automation/daytona#secret-fetching clearly mention

Any unique value can be appended to VAULT_SECRET_ in order to provide the ability to supply multiple secret paths.

Furthermore requiring the suffix to match last path of the secret basically makes it impossible to fetch secrets from different vault paths if their key name (file name) by chance happens to be the same, which will inevitably lead to a name conflict in their environment variables.

Also daytona should generally provide some error message if environment variables starting with VAULT_SECRET_ somehow could not be processed correctly.

Thanks.
@geekflyer geekflyer changed the title Bug: Doesn't read secrets when SECRET_ENV_ suffix does not match the last part of the key path Bug: Doesn't read secrets when SECRET_ENV_ suffix does not match the last part of the secret path Jan 27, 2020
@robison
Copy link
Contributor

robison commented Feb 3, 2020

Already addressed in this PR: #26

@broamski broamski linked a pull request Mar 10, 2020 that will close this issue
Simply and clarify the secret fetching process #33
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Simply and clarify the secret fetching process cruise-automation/daytona
2 participants
@geekflyer @robison