Add support mount multiple secrets

Question

Add support mount multiple secrets

Opened this issue 4 years ago · 7 comments

Hi..
When vault come into different path for applying some policy for different departement like database credentials, apps configuration and others, We need to merge into one environment configuration in kubernetes apps.
Rather than create more than one vault kind for each path, I think this can be done by mount multiple path of vault in one kind vault-crd then combine it into one secrets, then mount it into kubernetes apps environment for only single secrets

Answer 1 · 2020-12-30T17:49:10.000Z

Hi @ardimaul,

please have a look at this: https://vault.koudingspawn.de/supported-secret-types/secret-type-properties
Does it support your requirements?

Answer 2 · 2021-01-04T05:44:12.000Z

Hi @DaspawnW
Yes, it works like that, multiple mounting.. But it doesn't support return as string without specify the key like KV/KV2 mounting type.

Answer 3 · 2021-07-12T00:50:43.000Z

Maybe it will looks like this,

spec:
  type: "KEYVALUE"
  path:
    - "secret/one-secret"
    - "secret/two-secret"

If key exist in both secret, the last key in secret will apply to them

Answer 4 · 2021-07-26T17:55:18.000Z

Hi @ardimaul,

I would really welcome a merge request for it :-)

Answer 5 · 2021-10-19T19:51:59.000Z

Hi DaspawnW , i can work with this issue cause i need it for a project, can you give some hints on how to proceed to make ir more faster. Where in the source code do you think this issue can be solved. I'm reading the code but it can be faster if you sendme a hint to how to start.

Answer 6 · 2021-10-20T06:58:36.000Z

Hi @matiri132,

I would recommend you create a new Secret Type:

The other option is you add an additional property next to the path property called paths (to prevent collision) https://github.com/DaspawnW/vault-crd/blob/master/crd.yml#L25 and update the corresponding VaultSpec in Java:
https://github.com/DaspawnW/vault-crd/blob/master/src/main/java/de/koudingspawn/vault/crd/VaultSpec.java#L10

Then you can "simply" change the KeyValueGenerator / KeyValueRefresh classes to take this up.

Answer 7 · 2021-11-02T20:28:06.000Z

Hi @DaspawnW , i was working around the propossals that you give me to start the resolution of the issue but i'm blocked.
I'm trying to add a property called paths what works as Array in the crd.yaml, so the VaultSpec receives this Array as "paths".
But then the KeyValueGenerator wants to return a single secret.
Here i'm blocked cause i can't reach where the KeyGenerator is used to create the Kubernetes secret from the VaultSecret.
If you can guide me in the code flow or give me some documentation of how works the whole program to figure out how continue with this.
I'll give to you this first changes in a new branch (but the code not compile yet).