-
-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KV2 secrets on nested path does not work #11
Comments
Personally, I would not expect the operator to modify the secret path, and instead just get exactly whatever I put there. |
Hi, thanks for your input. I totally agree with you, normally you should get exactly what you put in the CR. My only problem here is that the |
Hi, thanks for this excellent project. hmm yeah I see the conundrum, other operators such as banzaicloud bank-vaults expect the user to specify |
Currently I want to use the same logic as the Vault cli (see #12), but I'm open for suggestions. @itsmeniko: I would like to improve the readme, do you have some suggestions based on your experience with the operator. |
sounds good! The only suggestion I have for the readme is that it should be clear that the helm chart has no default happy to submit a pr if you'd like |
A PR from you would be very welcome. |
If the KV2 secrets engine is enabled under a nested path the operator does not work for these secrets. Steps to reproduce:
The first example contains an invalid path, the operator would look for the secret at
kv2/data/on/nested/path/example-vaultsecret
, which is also not valid.The second example contains the correct path with the
data
part in it, but the operator looks under the following path for the secret:kv2/data/on/nested/path/data/example-vaultsecret
.The operator only looks at the second part of the path. If this part is not
data
,data
will be added at the second position. This behavior is incorrect, if the secret engine is enabled under a nested path.Possible solutions:
data
part. If not, we add it on the second position. If yes, we do not modify the path. This would break CRs which containsdata
in there path on (e.g.kv2/secret/on/nested/path/data
).secretEnginePath
to the CRD. Then the resulting path would besecretEnginePath + path
.The text was updated successfully, but these errors were encountered: