Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can’t write env variable for single secret key, if not also written to file #99

Closed
jonnylangefeld opened this issue Mar 31, 2023 · 3 comments · Fixed by #101
Closed

Can’t write env variable for single secret key, if not also written to file #99

jonnylangefeld opened this issue Mar 31, 2023 · 3 comments · Fixed by #101

Comments

@jonnylangefeld
Copy link
Contributor

When following the docs to write a single secret it is written to use

VAULT_SECRET_THING=secret/whatever/thing
DAYTONA_SECRET_DESTINATION_THING=/tmp/top-secret
VAULT_VALUE_KEY_THING=api_key

If one would only like to get env variables and not write a secret to a file, one would expect to not set DAYTONA_SECRET_DESTINATION_THING, and set SECRET_ENV='true'.

However, that doesn't work because the condition that wraps the case to write a single secret expects a destination path:

daytona/pkg/secrets/secrets.go

Lines 288 to 290 in f9f7dce

if !sd.plural && sd.outputDestination != "" {
singleValueKey := defaultKeyName
if envKey := os.Getenv(secretValueKeyPrefix + sd.secretID); envKey != "" {

@massenz
Copy link

massenz commented Mar 31, 2023

Furthermore, it seems that it is not possible to store the secret in an "arbitrarily" named env var, the secret key is always used.
In the example above, we cannot store api_key in a TOKEN_API env var.

This is probably "expected behavior" (if one reads the README 3 or 4 times, while experimenting) but it's somewhat limiting:

└─( TOKEN_PATH=~/.vault-token \
VAULT_AUTH_ROLE=... \
VAULT_SECRET_PGUSER=secret/whatever/thing \
VAULT_VALUE_KEY_PGUSER=user \
DAYTONA_SECRET_DESTINATION_PGUSER=/dev/null \
daytona -k8s-auth -k8s-auth-mount="..." \
-address https://vault:8200 \
-secret-env -entrypoint -- env | grep -i user

....
{"level":"info","applicationName":"daytona","key":"VAULT_VALUE_KEY_PGUSER","value":"value","time":"2023-03-31T10:53:22-07:00","message":"Found an explicit vault value key, will read this value key instead of using the default"}

{"level":"info","applicationName":"daytona","var":"USER","time":"2023-03-31T10:53:22-07:00","message":"Set env var"}

VAULT_SECRET_PGUSER=secret/whatever/thing
VAULT_VALUE_KEY_PGUSER=user
DAYTONA_SECRET_DESTINATION_PGUSER=whatever

user=myuser-...-zam.iam

while one would wish to have instead a PGUSER env var to be set.

jonnylangefeld added a commit to jonnylangefeld/daytona that referenced this issue Apr 4, 2023
@jonnylangefeld
Allow env mapping for secrets
4bd0456 
This was previously not possible.
This is a non breaking way of fixing cruise-automation#99.
Other ways would introduce breaking changes to variable names.

Additional features:
* allow to rename secret keys in env variables (see https://github.com/cruise-automation/daytona/issues/99\#issuecomment-1492390145)
* allow to store selected secret keys as env variables and in a file
@jonnylangefeld jonnylangefeld mentioned this issue Apr 4, 2023
Open
jonnylangefeld added a commit to jonnylangefeld/daytona that referenced this issue Apr 4, 2023
@jonnylangefeld
Allow env mapping for secrets
30879e0 
This was previously not possible.
This is a non breaking way of fixing cruise-automation#99.
Other ways would introduce breaking changes to variable names.

Additional features:
* allow to rename secret keys in env variables (see https://github.com/cruise-automation/daytona/issues/99\#issuecomment-1492390145)
* allow to store selected secret keys as env variables and in a file
jonnylangefeld added a commit to jonnylangefeld/daytona that referenced this issue Apr 4, 2023
@jonnylangefeld
Allow env mapping for secrets
46dfae9 
This was previously not possible.
This is a non breaking way of fixing cruise-automation#99.
Other ways would introduce breaking changes to variable names.

Additional features:
* allow to rename secret keys in env variables (see https://github.com/cruise-automation/daytona/issues/99\#issuecomment-1492390145)
* allow to store selected secret keys as env variables and in a file
jonnylangefeld added a commit to jonnylangefeld/daytona that referenced this issue Apr 6, 2023
@jonnylangefeld
Write env variable for single key, if not also written to file
8d086b8 
This fixes a bug where `SECRET_ENV=true` only worked if `DAYTONA_SECRET_DESTINATION_THING` is also set, even though that is not expected.

Fix cruise-automation#99
@jonnylangefeld jonnylangefeld mentioned this issue Apr 6, 2023
Merged
jonnylangefeld added a commit to jonnylangefeld/daytona that referenced this issue Apr 6, 2023
@jonnylangefeld
Write env variable for single key, if not also written to file
f266eaf 
This fixes a bug where `SECRET_ENV=true` only worked if `DAYTONA_SECRET_DESTINATION_THING` is also set, even though that is not expected.

Fix cruise-automation#99
@jonnylangefeld
Copy link
Contributor Author

@massenz it looks like since your comment is a separate issue to the initially described bug in this issue @broamski is suggesting to tackle you comment in a separate issue. So I think it makes sense to file it as new one.

broamski pushed a commit that referenced this issue Apr 7, 2023
@jonnylangefeld
Write env variable for single key, if not also written to file (#101)
4af6c7a 
This fixes a bug where `SECRET_ENV=true` only worked if `DAYTONA_SECRET_DESTINATION_THING` is also set, even though that is not expected.

Fix #99
@massenz massenz mentioned this issue Apr 9, 2023
Open
@massenz
Copy link

massenz commented Apr 9, 2023

Thanks - turns out this had already been reported in #41 (I have added my comment there) but given that one has been sitting for 3 years, I'm assuming it's not going to happen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Write env variable for single key, if not also written to file jonnylangefeld/daytona
2 participants
@massenz @jonnylangefeld