Support export of latest public key from the Vault Transit Engine

Question

Support export of latest public key from the Vault Transit Engine

chinnaxs opened this issue a year ago · 1 comments

Which problem is this feature request solving?

We use Vault Transit Secret Engine to generate asymmetric keys. We would like to inject the current/latest generated public key into a k8s Pod. The injection happens via Vault Agent Sidecar Injector and annotation based Consul-template injection.

Describe the solution you'd like

We would like to have a new template function transit <PATH> where PATH is a path to a Transit Secret Engine, which points to the latest key. e.g. : transit/export/public-key/fookey/latest

Then we could inject the secret like this:

apiVersion: ...
kind: ...
spec:
  annotation:
    vault.hashicorp.com/agent-inject-secret-signing_key: |
      {{ with transit "transit/export/public-key/signing_key/latest" }}
        {{ .Data.key }}
      {{ end }}

Can you submit a pull request?

No.

Answer 1 · 2024-03-24T11:21:35.000Z

consul-template has a built-in secret template function which enables a generic read/write interface to any Vault backend. This includes the transit backend, so in your case something like this could work:

{{ with secret "transit/export/public-key/some-kind-of-key/latest" }}
{{ range .Data.keys }}{{ . }}{{ end }}{{ end }}