Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Controller outputs key vault keys as binary data, not a usable string #707

Open
jpachcuda opened this issue Apr 26, 2024 · 0 comments
Open

[BUG] Controller outputs key vault keys as binary data, not a usable string #707

jpachcuda opened this issue Apr 26, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@jpachcuda
Copy link

Note: Make sure to check out known issues (https://akv2k8s.io/troubleshooting/known-issues/) before submitting

Components and versions
Select which component(s) the bug relates to with [X].

[X] Controller, version: 1.5.0 (docker image tag)
[ ] Env-Injector (webhook), version: x.x.x (docker image tag)
[ ] Other

Describe the bug
Since v1.5.0, secrets of type key are not being pulled in the proper format.

To Reproduce
Install akv2k8s helm chart v2.5.1
Create a key in a key vault that can be accessed from the cluster akv2k8s is installed on.
Create an AzureKeyVaultSecret for the key

apiVersion: spv.no/v1
kind: AzureKeyVaultSecret
metadata:
  name: test-key
  namespace: akv2k8s-test
spec:
  vault:
    name: test-keys-kv
    object:
      name: test-key
      type: key
  output:
    secret:
      name: test-key
      dataKey: apiKey

Decoding the secret will show:

apiKey: "��#\x14;9�}����\x11�u�+^�x�lG[��X����Ӎ�3���!E݆��L�h����y\v\a\x1F�\x12�*\x11�\\5�:Ѯo�v\f�����\x1D����\x1E��+&\a.��e\x04�:Z� �cW�\x14J\x1D޺�\ed\x04\x11����e|t��9p�f\x15rѹ��y\x0F1�D�{�]W5h����˒^���(��g��CV\v�'E\x0E�1\x19�\0O\at��\x11cP]�\x03�>������x�\x115���gL�NF!�L�����.� ���k��c\x17�^\x17�yGO\x13�\bVq�ҫ�&�\x14��V�\f\x05����S\x0F����l\r"

Expected behavior
In previous versions of akv2k8s, the secret value would be formatted as a string:

apiKey: mc8jFDs5v33v67bkEYV1pyte93itbGBHW-K5WK2qk_jTjcczwv3jIUXdhoOYTNxomrDB1HkLBx-nEogqEZBcNcM60a5v5XYMxvGantsd8pud2h6G2ysmBy6GkWUEijpakCDcY1eSFEod3rqQG2QEEcfJ7KVlfHTfwzlwjmYVctG5_oB5DzHJRN97wl1XNWjQ2ujdy5Je19_vKJz0Z-2YQ1YLiydFDr0xGfcATwd0vKoRY1BdtgOqP
qyqu42A-3i9ETSTqINnTKNORiGITJivxvrBLuHFa8GLYxfdXhfAeUdPE2DaCFZxrdKroybDFMXBVoDNCZ359YRTD_Xg9-BsDQ

Additional context
I think I've identified how this problem was introduced, although I do not know the exact fix.

In older versions of akv2k8s, the getKey method returned a JSONWebKey struct that included url encoded base64 strings
https://pkg.go.dev/github.com/Azure/[email protected]+incompatible/services/keyvault/2016-10-01/keyvault#JSONWebKey

However, the azkeys package being used now returns a JSONWebKey struct that includes values that are of the type []byte. These are not being handled appropriately by the getKeys function as it seems they cannot be typecast to string.
https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys#JSONWebKey

azure-key-vault-to-kubernetes/pkg/azure/keyvault/client/service.go

Lines 104 to 112 in 647b715

response, err := client.GetKey(ctx, vaultSpec.Object.Name, vaultSpec.Object.Version, &azkeys.GetKeyOptions{})
if err != nil {
return "", err
}
data := &response.Key.N
return string(*data), nil
}

It seems like the []byte data may be able to be converted properly by using one of the UnmarshalJSON functions included in azkeys, although I do not know exactly how this should be implemented. https://github.com/Azure/azure-sdk-for-go/blob/e9e6b6281766a4e71ea0ee0b7268692009e2794b/sdk/security/keyvault/azkeys/models_serde.go#L332
@jpachcuda jpachcuda added the bug Something isn't working label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jpachcuda