Error with CERTJKS file

Question

Error with CERTJKS file

Closed this issue 4 years ago · 1 comments

Hey, I am new to vault. I met some problems while uploading my Jks file to vault and then load it to K8s secret. Here is what I did:

upload jks to vault:

 vault kv put secret/XXX value=@file.jks

create vault resources in k8s.

apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
  name: test-certjks
spec:
  path: "secret/XXX"
  type: "CERTJKS"

the secret is not created in vault. and vault pod is throwing this error:

2020-02-21 21:59:21.240  WARN 1 --- [/172.20.0.1/...] i.f.k.c.d.i.WatchConnectionManager       : Exec Failure

java.lang.NullPointerException: null
    at de.koudingspawn.vault.vault.impl.SharedVaultResponseMapper.getPublicKey(SharedVaultResponseMapper.java:164) ~[classes!/:0.0.1-SNAPSHOT]
    at de.koudingspawn.vault.vault.impl.SharedVaultResponseMapper.mapJks(SharedVaultResponseMapper.java:95) ~[classes!/:0.0.1-SNAPSHOT]
    at de.koudingspawn.vault.vault.impl.CertJksGenerator.generateSecret(CertJksGenerator.java:26) ~[classes!/:0.0.1-SNAPSHOT]
    at de.koudingspawn.vault.vault.VaultService.generateSecret(VaultService.java:18) ~[classes!/:0.0.1-SNAPSHOT]
    at de.koudingspawn.vault.kubernetes.EventHandler.addHandler(EventHandler.java:27) ~[classes!/:0.0.1-SNAPSHOT]
    at de.koudingspawn.vault.kubernetes.Watcher$1.eventReceived(Watcher.java:38) ~[classes!/:0.0.1-SNAPSHOT]
    at de.koudingspawn.vault.kubernetes.Watcher$1.eventReceived(Watcher.java:31) ~[classes!/:0.0.1-SNAPSHOT]
    at io.fabric8.kubernetes.client.utils.WatcherToggle.eventReceived(WatcherToggle.java:49) ~[kubernetes-client-4.1.0.jar!/:na]
    at io.fabric8.kubernetes.client.dsl.internal.WatchConnectionManager$2.onMessage(WatchConnectionManager.java:232) ~[kubernetes-client-4.1.0.jar!/:na]
    at okhttp3.internal.ws.RealWebSocket.onReadMessage(RealWebSocket.java:310) ~[okhttp-3.9.1.jar!/:na]
    at okhttp3.internal.ws.WebSocketReader.readMessageFrame(WebSocketReader.java:222) ~[okhttp-3.9.1.jar!/:na]
    at okhttp3.internal.ws.WebSocketReader.processNextFrame(WebSocketReader.java:101) ~[okhttp-3.9.1.jar!/:na]
    at okhttp3.internal.ws.RealWebSocket.loopReader(RealWebSocket.java:265) ~[okhttp-3.9.1.jar!/:na]
    at okhttp3.internal.ws.RealWebSocket$2.onResponse(RealWebSocket.java:204) ~[okhttp-3.9.1.jar!/:na]
    at okhttp3.RealCall$AsyncCall.execute(RealCall.java:153) [okhttp-3.9.1.jar!/:na]
    at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) [okhttp-3.9.1.jar!/:na]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_212]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_212]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]

I am not sure if I used the right command to upload jks file into vault. I also tried:

vault write secret/*** value=@file.jks

I got the error:

Error writing data to secret/XX: Error making API request.


Code: 404. Errors:


WARNING! The following warnings were returned from Vault:

  * Invalid path for a versioned K/V secrets engine. See the API docs for the
  appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
  for this operation.

Could you please help me with this?

Answer 1 · 2020-03-13T13:26:23.000Z

Hey @xytian315 ,
I think here is a missunderstanding. You can't generate out of a key value pair a certjks.
Please have a look at the examples in vault.koudingspawn.de