You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What I would expect to happen is that daytona reads the key at secret/application/myapp/service_account.json and writes it's value to /secrets/service_account.json.
What actually happens is, well, basically nothing.
Daytona seems to silently skip reading / writing the key and the logs simply contain this:
DAYTONA - 2020/01/27 01:22:02 Starting secret fetch
DAYTONA - 2020/01/27 01:22:02 Certificate or private key output path is empty, will not attempt to get certificate
Through some extensive try-and-error I found that apparently daytona expects the suffix of the environment variable to match the last path of the vault secret path, in this case service_account.json.
In other words:
Any unique value can be appended to VAULT_SECRET_ in order to provide the ability to supply multiple secret paths.
Furthermore requiring the suffix to match last path of the secret basically makes it impossible to fetch secrets from different vault paths if their key name (file name) by chance happens to be the same, which will inevitably lead to a name conflict in their environment variables.
Also daytona should generally provide some error message if environment variables starting with VAULT_SECRET_ somehow could not be processed correctly.
Thanks.
The text was updated successfully, but these errors were encountered:
geekflyer
changed the title
Bug: Doesn't read secrets when SECRET_ENV_ suffix does not match the last part of the key path
Bug: Doesn't read secrets when SECRET_ENV_ suffix does not match the last part of the secret path
Jan 27, 2020
I believe I found a bug in how daytona treats the names of environment variables when fetching individual secrets.
Consider I start daytona with those environment variables:
What I would expect to happen is that daytona reads the key at
secret/application/myapp/service_account.json
and writes it's value to/secrets/service_account.json
.What actually happens is, well, basically nothing.
Daytona seems to silently skip reading / writing the key and the logs simply contain this:
Through some extensive try-and-error I found that apparently daytona expects the suffix of the environment variable to match the last path of the vault secret path, in this case
service_account.json
.In other words:
works, but
does not.
This is a bit surprising since the docs here https://github.com/cruise-automation/daytona#secret-fetching clearly mention
Furthermore requiring the suffix to match last path of the secret basically makes it impossible to fetch secrets from different vault paths if their key name (file name) by chance happens to be the same, which will inevitably lead to a name conflict in their environment variables.
Also daytona should generally provide some error message if environment variables starting with
VAULT_SECRET_
somehow could not be processed correctly.Thanks.
The text was updated successfully, but these errors were encountered: