0

I have a running vault server, I enabled transit secret engine and created a vault transit secret backend_key through terraform.

resource "vault_mount" "transit" {
  path = "transit"
  type = "transit"
}


resource "vault_transit_secret_backend_key" "transit_key" {
  backend = vault_mount.transit.path
  name    = "test-pagination-key"
  type    = "chacha20-poly1305"
}

I am able to see the generated backend key in vault UI enter image description here

Post the creation of this key, I need to go inside key actions and select datakey and select plaintext key and hit "create datakey" to fetch the backend key in plain text format.

enter image description here

enter image description here

I need the data key inside helm chart for my application to make use of it.

How to fetch that data key through the vault agent?????, I can use the annotations in the deployment object like

      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-inject-secret-pagination-key: "transit/test-pagination-key"

But the data key is not stored directly inside the vault as key value pair, we have to generate the datakey in plain text as shown in the images above.

How can I fetch the data key in plain text from transit backend key??

references There is an API call I can see from vault documentation, Document

sample request
curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/transit/datakey/plaintext/my-key


sample response
{
  "data": {
    "plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
    "ciphertext": "vault:v1:abcdefgh"
  }
}

or there is an alternate cli call, sample below

vault write -f transit/datakey/plaintext/orders

Key            Value
---            -----
ciphertext     vault:v6:muu3qQr8beEnEpCoi3225rCe60V2abzjWy7MC7+1XE5pl7JX4RM+7o65+sly0wwG1HEJaUstEhwVhBro
key_version    6
plaintext      JGrAH+uy+iuYfqIf0DtMBCYc/x7PYQ3NFKkF8+hsFqo=

I am able to fetch the secrets from vault with below



spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-inject-status: 'update'
        vault.hashicorp.com/role: 'transit-app'
        vault.hashicorp.com/agent-inject-secret-database-config.txt: 'transit/keys/orders'
        vault.hashicorp.com/agent-inject-template-pagination-config.txt: |
          {{- with secret "transit/keys/test-pagination-key" -}}
                {{ .Data }}
          {{- end -}}

since the above request is using get method, its able to fetch the value, but now I need to make the write request 



spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject-template-database-config.txt: |
          {{- with secret "transit/datakey/plaintext/orders" -}}
          postgresql://{{ .Data }}
          {{- end -}}

The above request is still taking as read method, but I need vault agent to make above as write request, how can that be made???

Kindly gimme some path to proceed forward in this issue

Bala krishna
  • 519
  • 1
  • 10
  • 24

0 Answers0