Error occurs when generating secrets from Vault file with nested credentials

[CCardosoDev]

Let's assume that we have the following in Vault

Vault file path: /my-department/my-app-name/app/
Vault file content:

{
  "client": {
    "client_id": "my_client_id",
    "client_secret": "my_client_secret"
  },
  "sentry_dsn": "my-dsn"
}

Env var exposed to the container VAULT_SECRETS: /my-department/my-app-name/app/

Once the container executes the following error is thrown:

2022/02/24 15:01:35 Using annotation [ vault-app-my-department-my-app-name ] to detect managed secrets
2022/02/24 15:01:36 read /my-department/my-app-name/app/ from vault
panic: interface conversion: interface {} is map[string]interface {}, not string

goroutine 1 [running]:
main.(*syncConfig).synchronize(0xc000232dc0, 0x0, 0x0)
	/vgo/main.go:151 +0x103e
main.main()
	/vgo/main.go:55 +0xf5

While if I have

Vault file content:

{
  "client_secret": "my_client_secret"
  "sentry_dsn": "my-dsn"
}

The container executes successfully creating the expected secret resource.

I have tested this with multiple versions of the container, including v0.2.5 which is the latest version at the moment of creation of this issue.

Which leaves me to the conclusion that this container does not support nested credentials.
Are you aware of this issue? Would you consider this an easy fix?

Thanks in advance for you attention.

[marcsauter]

@CCardosoDev

How do you expect to map the nested credentials to k8s secrets?

Vault:

{
  "client": {
    "client_id": "my_client_id",
    "client_secret": "my_client_secret"
  },
  "sentry_dsn": "my-dsn"
}

k8s plain (how to resolve name clashes?):

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client_id: <base64 encoded string>
  client_secret: <base64 encoded string>

k8s scoped:

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client.client_id: <base64 encoded string>
  client.client_secret: <base64 encoded string>

k8s embedded:

apiVersion: v1
kind: Secret
metadata:
  name: nested
type: Opaque
data:
  sentry_dsn: <base64 encoded string>
  client: <base64 encoded json>

[CCardosoDev]

@marcsauter thanks a lot for your quick response.

Very good question you made, I'd think that the most intuitive for me would be to have it exposed as "k8s embedded", so the last option. Like that it is in accordance with what is available in Vault and we don't alter in any way the file content.

[marcsauter]

https://github.com/postfinance/vault-kubernetes/tree/decode with an issue I hope to solve soon, but most cases work.

[picnic-sven]

Bumping this thread for visibility. This would be a very handy feature for us 😄