bug: can't retrieve from Vault KVv2 mounts with slashes in the name
Closed this issue ยท 6 comments
Describe the bug:
In gomplate
v4, the automatic injection of the /data
segment after the mount point for Vault KV v2 is causing data retrieval failures. This behavior does not honor the current workaround of manually including the /data
segment after the mount point, which worked in gomplate
v3.11.8. The resulting URL construction by gomplate
v4 is incorrect and leads to permission denied errors.
Specifically, when the path is provided as ui/secrets/data/rest/of/the/path
, gomplate
v4 incorrectly transforms it to ui/data/secrets/data/rest/of/the/path
.
Example error:
failed with: GET https://vault.example.com:8200/v1/ui/data/secrets/data/path/to/secret - 403, details: 1 error occurred: permission denied : file does not exist
Furthermore, the policies defined in Vault do not recognize this new path structure (ui/data/secrets/data/rest/of/the/path
), leading to permission issues. This would require rewriting all the policies to accommodate the new path.
Expected behaviour:
gomplate
should correctly handle the Vault KV v2 paths by either:
- Not injecting an additional
/data
segment if it's already included in the provided path. - Allowing users to disable this automatic behavior through a configuration option.
Steps to reproduce the bug:
- Create a secret at
ui/secrets/data/rest/of/the/path
. - Define a policy that grants read access to
ui/secrets/data/rest/of/the/path
. - Use
gomplate
v4 to retrieve the secret with a URL that includes the/data
segment:secrets: "{{ (datasource "vault" "ui/secrets/data/rest/of/the/patht").data.value }}"
- Run
gomplate
with the correct Vault address:gomplate --datasource vault=vault://vault.example.com:8200 -f config.yaml
- Observe the
403 Permission Denied
error due to incorrect URL construction.
Anything else we need to know?:
- The same setup works correctly with
gomplate
v3.11.8.
/kind bug
Hi @nedal87, thanks for reporting this and sorry you ran into it!
I never intended the workaround to be necessary in v4, because v4 properly supports the Vault KV v2 API. But I see I failed to update the documentation!
Can you clarify a few things for me?
- what is your mount-point in this case? is it
ui
? orui/secrets
? I didn't think mount-points could have slashes in them, but apparently this is possible - does it work if you remove
data
from your path?
Hi, thanks for your feedback ๐
- The mount-point is exactly
ui/secrets
and it contains more than one slash in most cases - Gomplate fails even without
/data/
in the path
yeah ok, this is a bug in go-fsimpl where the mount point is assumed to not contain slashes:
@tewfik-ghariani/@nedal87 just to be sure, can you test with a mount point that doesn't have any slashes and confirm that it's working correctly for you?
I've filed hairyhenderson/go-fsimpl#730 to track the bug in go-fsimpl but will keep this one open since I'll need to update gomplate too once it's fixed, and add some additional integration tests to account for it.
(also I've updated the title to reflect the underlying bug and to help make it a bit more discoverable)
FYI I've got a potential fix up here: hairyhenderson/go-fsimpl#738