Hi, I want to create a appRole token using VaultDynamicSecret, it will need at least three VaultDynamicSecrets to do, two CRs for role_id and secret_id, one CR is to login for AppRole token, but seems doesn’t work as below, it always gets a empty content in secret vso-sync-approle-token-generator, could you help to check anything wrong ?
And I think it’s redundant to use at least three CRs to get the AppRole token , is there any other ways I can get the appRole token directly ?
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: vso-sync-approle-secret-id
namespace: vso-test-approle
spec:
mount: auth/vso-test-approle
path: role/vso-test-role/secret-id
destination:
create: true
name: vso-sync-approle-secret-id
transformation:
excludes:
- .*
templates:
secretId:
text: "{{- printf \"%s\" (get .Secrets \"secret_id\") -}}"
ttl:
text: |
{{- printf "%s" (get .Secrets "secret_id_ttl") -}}
vaultAuthRef: dynamic-auth-test-approle
requestHTTPMethod: POST
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: vso-sync-approle-role-id
namespace: vso-test-approle
spec:
mount: auth/vso-test-approle
path: role/vso-test-role/role-id
destination:
create: true
name: vso-sync-approle-role-id
transformation:
excludes:
- .*
templates:
roleId:
text: "{{- printf \"%s\" (get .Secrets \"role_id\") -}}"
vaultAuthRef: dynamic-auth-test-approle
requestHTTPMethod: GET
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
name: vso-sync-approle-token-generator
namespace: vso-test-approle
spec:
mount: auth/vso-test-approle
# Mount path of the secrets backend
path: login
# Where to store the secrets, VSO will create the secret
destination:
create: true
name: vso-sync-approle-token-generator
transformation:
templates:
all_secrets:
text: |
{{- range $key, $value := .Secrets }}
{{ $key }}: {{ printf "%s" $value }}
{{- end }}
params:
role_id: xxx # from vso-sync-approle-role-id
secret_id: xxx # vso-sync-approle-secret-id
vaultAuthRef: dynamic-auth-test-approle