Decoding vault secret using consul template function on the vault ann…

…otation. Able to remove the bash that decodes the file and changes the extension.
hashicorp · Mar 29, 2022 · de1349b · de1349b
1 parent 838241d
commit de1349b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 25 deletions.
diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl
@@ -22,6 +22,13 @@ as well as the global.name setting.
             {{ "{{" }}- end -{{ "}}" }}
 {{- end -}}
 
+{{- define "consul.vaultDecodedSecretTemplate" -}}
+ |
+            {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }}
+            {{ "{{" }}- {{ printf "base64Decode .Data.data.%s" .secretKey }} -{{ "}}" }}
+            {{ "{{" }}- end -{{ "}}" }}
+{{- end -}}
+
 {{- define "consul.serverTLSCATemplate" -}}
  |
             {{ "{{" }}- with secret "{{ .Values.global.tls.caCert.secretName }}" -{{ "}}" }}

diff --git a/charts/consul/templates/client-snapshot-agent-deployment.yaml b/charts/consul/templates/client-snapshot-agent-deployment.yaml
@@ -52,8 +52,8 @@ spec:
         {{- end }}
         {{- if .Values.client.snapshotAgent.configSecret.secretName }}
         {{- with .Values.client.snapshotAgent.configSecret }}
-        "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.txt": "{{ .secretName }}"
-        "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.txt": {{ template "consul.vaultSecretTemplate" . }}
+        "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}"
+        "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultDecodedSecretTemplate" . }}
         {{- end }} 
         {{- end }}
         {{- if .Values.client.snapshotAgent.configSecret.secretName }}
@@ -147,11 +147,6 @@ spec:
           {{- .Values.client.snapshotAgent.caCert | nindent 14 }}
           EOF
           {{- end }}
-          {{- if  .Values.global.secretsBackend.vault.enabled }}
-          decodedJson={{ "/vault/secrets/snapshot-agent-config.txt" | .Files.Get | b64dec }};
-          echo "$decodedJson"
-          echo "$decodedJson" > /vault/secrets/snapshot-agent-config.json
-          {{- end }}
           exec /bin/consul snapshot agent \
             {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) }}
             {{- if  .Values.global.secretsBackend.vault.enabled }}

diff --git a/charts/consul/test/unit/client-snapshot-agent-deployment.bats b/charts/consul/test/unit/client-snapshot-agent-deployment.bats
@@ -838,12 +838,12 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \
       yq -r '.spec.template.metadata' | tee /dev/stderr)
 
   local actual=$(echo $object |
-      yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.txt"]' | tee /dev/stderr)
+      yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json"]' | tee /dev/stderr)
   [ "${actual}" = "path/to/secret" ]
 
   actual=$(echo $object |
-      yq -r '.annotations["vault.hashicorp.com/agent-inject-template-snapshot-agent-config.txt"]' | tee /dev/stderr)
-  local expected=$'{{- with secret \"path/to/secret\" -}}\n{{- .Data.data.config -}}\n{{- end -}}'
+      yq -r '.annotations["vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json"]' | tee /dev/stderr)
+  local expected=$'{{- with secret \"path/to/secret\" -}}\n{{- base64Decode .Data.data.config -}}\n{{- end -}}'
   [ "${actual}" = "${expected}" ]
 
   actual=$(echo $object | jq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)
@@ -880,21 +880,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \
       [ "${actual}" = "" ]
 }
 
-@test "client/SnapshotAgentDeployment: vault decondes snapshot-agent-config.txt into a .json file so that consul snapshot agent will process it" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/client-snapshot-agent-deployment.yaml  \
-      --set 'global.secretsBackend.vault.enabled=true' \
-      --set 'global.secretsBackend.vault.consulClientRole=foo' \
-      --set 'global.secretsBackend.vault.consulServerRole=test' \
-      --set 'client.snapshotAgent.enabled=true' \
-      --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \
-      --set 'client.snapshotAgent.configSecret.secretKey=config' \
-      . | tee /dev/stderr |
-      yq -r '.spec.template.spec.containers[0].command[2] | contains("echo \"$decodedJson\" > /vault/secrets/snapshot-agent-config.json")' | tee /dev/stderr)
-  [ "${actual}" = 'true' ]
-}
-
 @test "client/SnapshotAgentDeployment: vault sets config-file argument on snapshot agent command to config downloaded by vault agent injector" {
   cd `chart_dir`
   local actual=$(helm template \