Double encoded JKS files by vault-csi-provider

octopus20 · July 11, 2023, 12:31pm

Hello Folks!

I have a situation where I need to store JKS keys in vault, but you know the key format is not accepted to be stored as is in vault kv … Currently I’m using vault-csi-provider with secretclassptovider , I base64 the key then store it in vault but when it get fitched by the csi-provider is get encoded again , so the key is double encoded

Do you have any idea if I can ignore the base64 encoding and let the secretclassprovider fetch the values as is without any encoding?
Do you recommend any approach to manage the JKS keys ?

Looking for your support,
Regards

maxb · July 11, 2023, 1:33pm

https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#encoding looks relevant

octopus20 · July 12, 2023, 5:57am

Hi @maxb , thanks for your response

it’s not really that relevant , I wanted the CSI to not encode the already encoded values iin vault

cause as you know the jks format is not accepted to be saved in vault as a plain it has to be base64, and when I did the csi feteched the value and encode it again so when it gets decoded the key is invalid cause it’s still need double decoding

maxb · July 12, 2023, 6:25am

Did you try it? The source code sure looked like it was decoding the specified encoding method, not applying an extra layer, to me.

octopus20 · July 12, 2023, 10:27am

yes I did, I stored a plane values and they get encoded , and same happened with the encoded values they get double encoded

maxb · July 12, 2023, 10:34am

I don’t have a test environment, but I don’t see how what you describe is possible given:

github.com

hashicorp/vault-csi-provider/blob/d7c3fe6a20f85aa3c02018f82a35719106f594b2/internal/provider/provider.go#L96-L106


      
          func decodeValue(data []byte, encoding string) ([]byte, error) {
          	if len(encoding) == 0 || strings.EqualFold(encoding, EncodingUtf8) {
          		return data, nil
          	} else if strings.EqualFold(encoding, EncodingBase64) {
          		return base64.StdEncoding.DecodeString(string(data))
          	} else if strings.EqualFold(encoding, EncodingHex) {
          		return hex.DecodeString(string(data))
          	}
          
          	return nil, fmt.Errorf("invalid encoding type. Should be utf-8, base64, or hex")
          }

octopus20 · July 12, 2023, 2:45pm

I see … This is really wired! I will update u with a full example and how it’s been fethced by the csi-provider

octopus20 · July 13, 2023, 6:31am

Hi again @maxb

here is an example of what I did and how it’s been fetched

the secret as plain in vault:

and here is the secret defenition from SecretClassStore

and finally, this is the data in K8s secret

So in my case and bacause of JKS format, I put the kv in vault as base64 encoded and found that when the secret created the value was double encoded

maxb · July 13, 2023, 6:38am

This is expected. The data key within a Kubernetes secret always renders the contents as base64-encoded. This appears to be working correctly.

octopus20 · July 13, 2023, 8:25am

yep it is expected to be rendered in the secret as encoded, but do u have any advise for the JKS keys with vault ? if it’s stored as base64 it will get encoded in secret = twice encodeing

maxb · July 13, 2023, 11:05am

I have already given all the relevant advice I have above.