Secrets rendered to volumes with serialization data about vault-k8s HOT 4 OPEN

The need to append an additional "data" on the custom template may be related to the way the secrets are accessed for KV2 vs KV. At least that was my case (I deployed originally with KV and then switched to KV2 and was getting this output). This should be reflected on the docs

from vault-k8s.

Hi @hugespoon, can you share the templates you tried?

The learn guide also has more detailed examples of templating: https://learn.hashicorp.com/vault/getting-started-k8s/sidecar#apply-a-template-to-the-injected-secrets

from vault-k8s.

@tvoran , thanks for getting back to me. I see that I needed to use .Data.data.KEYNAME in my custom template to get the data to render properly.

It looks like the docs I linked (https://www.vaultproject.io/docs/platform/k8s/injector/) need to be updated or called out if this is a Vault version specific issue as they only seem to show .Data.KEYNAME variations (and the default template seems to use this as well).

Thanks for your help!

from vault-k8s.

I've thought the same while creating hashicorp/vault#8294, but then found #18.

It depends on what secrets engine do you use.
Example in the docs shows the consul engine, I've used kv2, you're probably not using the consul one too.

It's the red plate in the docs already, but it seems it's not so clear for lots of people:

Vault Agent uses the Consul Template project to render secrets. For more information on writing templates, see the Consul Template documentation.

Maybe it'd be better to rewrite it.

from vault-k8s.