Add support for secret data transformation #437
Conversation
Extends VSO to support configuring Go templates that will be rendered to the K8s Secret data. Template specs can be configured directly in a syncable secret custom resource, or can be shared via references to external ConfigMap resources. Templates can be composed of other templates, and optionally rendered as a K8s Secret data value. The rendered template name is used as the key to the rendered data. Templating support also includes a large subset of the hermetic Sprig text functions that can be used to handle various encoding/decoding tasks, map manipulations, etc. In addition to template support, it is now possible to filter top level secret data fields based on include/exclude regex patterns. Filters can be used in conjunction with templating, and are meant to augment the overall templating experience. Template fields are not considered during field filtering.
Contains all Secret data transformation configuration.
Other fixes
|
hey @benashz thank you so much for working on this Just a quick question, if i just wanted to make a secret in the vss config to be base64 decoded, is the below config correct? I am assuming app.env is one of the key's in the secret (vso-secret) if the above is the case, im assuming we can first fork your branch to start testing this version of templating directly right? |
|
Hey @nia-potato ,
If you wanted to include all vault secrets and only decode a specific value you could use this template: apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vso-secret
namespace: tenant1
spec:
destination:
create: true
name: vso-secret
transformation:
templateSpecs:
- name: some-data
text: '{{- get .Secrets "some-data" | b64dec -}}'
hmacSecretData: true
mount: kv-v2
path: secrets
refreshAfter: 5s
type: kv-v2
{
"_raw": "....",
"password": "secret",
"some-data": "secret",
"username": "alice"
}
Yes, you should be able to do some local testing, either from this repo or a fork. I can add some samples to this branch if you want to get up and running quickly. Otherwise you may be able to get going by running the following commands: make setup-kind docker-build load-docker-image deploy setup-vaultThen you can access Vault by setting the following env vars: Let me know if you encounter any issues. |
|
Thanks @benashz i will get back to you after i finish testing. On a side note, since im assuming the official 0.4.0 will take a while to be released, i've currently just did a and on my dev cluster(non-local) i've tried to pull this via the private repo or directly via your local it seems to install just fine but when i try to apply the vault static secrets config as you showed me from above, i am getting
Do you happen to know anyway around this other than just waiting for the official v1beta1 API to updated with your changes? |
👍
Does chart directory contain the chart from this PR's branch?
It looks like the CRDs do not match for some reason. Does running the following command from the repo root resolve the issue (make sure your repo is checked out this PR's branch, just in case):
I think running the Let me know if any of that helps. |
|
Got the crds installing part resolved, thanks @benashz However i am still unable to get the base64 decoding working, i feel i must be missing something obvious: Given secret name: i apply the config as discussed: after running |
|
Hey @nia-potato , would you mind confirming that you are VSO is running from the dev Docker image? That could explain why are you not seeing the transformation directive being honored? If you are testing with a Kind cluster can you run (from a checkout of this branch): Would you mind inspecting the VSO Deployment to ensure that your image is set to Can you run the following command to verify (you may need to adjust the namespace and name to match your setup): |
|
Hey @benashz I see that the deployment does not contain X.X.X-dev as you mentioned, do you suspect that with my current method of installing the chart directly from your branch still does not contain your changes? which is causing the transformation be recognized by the updated crds during a quick excerpt of the logs of the current running vso is as below, is the current testing method not available for a live cluster test in anyway but only for the local tests? |
Ah that explains it. Your GKE cluster would need access to the development docker image some how. We do test on GKE. Maybe this bit could help: https://github.com/hashicorp/vault-secrets-operator/blob/1ad9b0ffda6415859a0397a08312d0be0aaf99d2/gcp.mk#L32C17-L35 Then you would need to set the image repo and tag to the dev image during your helm installation. This article might help:
Thanks for the confirmation. |
- update the demo to include templated values - other fixes etc...
Add first class SecretTransformation CRD and controller Drop support for getting shared template/tranformation bits from a ConfigMap.
|
@nia-potato , Just an FYI: 9ab331c brings in some breaking API changes. I will update the main description with the details next week. |
|
hey @benashz Thanks for the update, and i just confirmed that your patch prior of 9ab331c is working fine for encrypted secrets! I can test again next week, and will start to experiment with your colleagues gcp auth with workload identity patch next week, so feel free to shoot over any experimental features you guys are working on, it seems like we are using most of your teams new features haha, have a good weekend! |
|
hey @benashz lemme know when you need me to test |
Hey @nia-potato, you should be able to test any time against the latest commit on this branch. You will need to convert your *Secret CRs though: If you were using the templateRef ConfigMap feature, please let me know, as that has been totally re-worked. Let me know how it goes. Thanks, Ben Example of the transformation API update (inline only): ---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vso-secret
namespace: tenant1
spec:
destination:
create: true
name: vso-secret
transformation:
templateSpecs:
app.env:
text: |-
{{- range $key, $value := .Secrets }}
{{- $envKey := printf "ENV_%s" $key | upper | replace "-" "_" -}}
{{- if eq $key "some-data" -}}
{{- printf "%s_DECODED=%s\n" $envKey ( $value | b64dec ) -}}
{{- end -}}
{{- printf "%s=%s\n" $envKey $value -}}
{{- end }}
fieldFilter:
excludes:
- .*
hmacSecretData: true
mount: kv-v2
path: secrets
refreshAfter: 60s
type: kv-v2 |
|
Thanks for the update however i am getting this error after updating the crds with do you see any potential errors in the vss config? vss config |
The CR definition above looks correct to me for the latest change on this branch, but for some reason the template name is |
|
hey @benashz it is now working, it was an error on my end. Now that this is working, do you anticipate any more breaking changes regarding the transformation api before the 0.4.0 release? if not i will be using the version internally while i wait for the official 0.4.0 release. Also within the commits, i also saw changes related to |
|
Thank you for this! With templates that convert the default |
👍 Thanks for taking this out for a test spin!
I do not anticipate any further breaking changes, but as we are still fleshing out the overall secret transformation API, there is a possibility that some changes will be made that require a manual intervention. I will announce any breaking changes in this PR.
I believe those references to cert-manager are boiler plate created by the operator-sdk. They are related to webhooks, which we are not currently using in VSO. |
Fixes: - properly set the SyncableSecretMetaData.Name from ObjectMeta - add tests for NewSyncableSecretMetaData()
|
@benashz Great work! I am testing it in our lab and it works well. But maybe one thing would be good to consider: Example: Output: Expected output: Would it be possible to make some switch like "clean: true/false" or something like it? Once you are templating you know what you want in secret so _raw and key & value are redundant. |
@AdamNuclear Awesome, thanks!
For excluding the For controlling the inclusion of non-templated keys you can set the An example of your VSS with excludes added: apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vso-secret
namespace: vault-secrets-operator
spec:
destination:
create: true
name: vso-secret
transformation:
excludes:
- .*
templates:
users:
text: |-
{{- range $value := .Secrets }}
{{- printf "%s\n" $value -}}
{{- end -}}
hmacSecretData: true
mount: kv
path: k8s/lab/adamtest
refreshAfter: 5s
type: kv-v2
vaultAuthRef: vaultauth-aws-irsa |
|
@benashz Ahh, that was just my misunderstanding regarding include/exclude. Now it does exactly what I was looking for. Thank you for your explanation. |
Co-authored-by: Theron Voran <[email protected]>
benashz
force-pushed
the
VAULT-21159/add-support-for-secret-data-templating
branch
from
ec771a2
to
3691e0d
Compare
benashz
deleted the
VAULT-21159/add-support-for-secret-data-templating
branch
benashz
restored the
VAULT-21159/add-support-for-secret-data-templating
branch
benashz
deleted the
VAULT-21159/add-support-for-secret-data-templating
branch
Extends VSO to support configuring Go templates that will be rendered to the K8s Secret data. Template specs can be configured directly in a syncable secret custom resource, or can be shared via references to the new SecretTransformation CRD. Templates can be composed of other templates, and optionally rendered as a K8s Secret data value. Templating support also includes a large subset of the hermetic Sprig text functions that can be used to handle various encoding/decoding tasks, map manipulations, etc. In addition to template support, it is now possible to filter top level secret data fields based on include/exclude regex patterns. Filters can be used in conjunction with templating, and are meant to augment the overall templating experience. Template fields are not considered during field filtering. Other Fixes: - properly set the SyncableSecretMetaData.Name from ObjectMeta - add tests for NewSyncableSecretMetaData() Co-authored-by: Theron Voran <[email protected]>
|
hi @benashz do you have any document related to transformation template |
Extends VSO to support configuring Go templates that will be rendered to the K8s Secret data. Template specs can be configured directly in any syncable secret custom resource, or can be shared via references to an external
SecretTransformationCR. Templates can be composed of other templates, and optionally rendered as a K8s Secret data value. The rendered templatenameorkeyis used as the key to the rendered data.As inputs, the template has access to the source secret data, any related secret metadata, and a secret CR's labels and annotations.
Templating support also includes a large subset of the "hermetic" Sprig text functions that can be used to handle various encoding/decoding tasks, map manipulations, etc.
In addition to template support, it is now possible to filter top level secret data fields based on include/exclude regex patterns. Filters can be used in conjunction with templating, and are meant to augment the overall templating experience. Template fields are not considered during field filtering.
Example:
Given this vault secret data:
{ "request_id": "xxxxxxxx-a84d-5f43-1d07-xxxxxxxx3d54", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "data": { "password": "secret", "some-data": "c2VjcmV0", "username": "alice" }, "metadata": { "created_time": "2023-11-01T19:35:20.247974293Z", "custom_metadata": null, "deletion_time": "", "destroyed": false, "version": 2 } }, "warnings": null }and this VSS CR:
Would result in this K8s Secret:
Resolves #356, resolves #345, resolves #276, resolves #135
Relates to #562 #576 #546