Save kubeconfig yaml to vault via terraform

linuxbsdfreak · December 2, 2020, 12:54pm

Hi.

How do i use Terraform vault provider to write a k8s config under a KV2 engine using
vault_generic_secret under terraform

https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_secret

Is it also possible to read the value of the K8 kubeconfig from a file and substitute the value for the key?

I am trying the following

data "local_file" "input" {
    filename = var.shoot_kubeconfig_path
}

resource "vault_generic_secret" "vault_secret_kvv2_new" {
  provider = vault.child_namespace
  path = join("/", [ var.kvv2_secret_path, "config2" ])

  data_json = <<EOT
{
  "foo":  "${data.local_file.input.content}"
}
EOT

  depends_on = [ vault_mount.kvv2 ]
}

Error

Error: invalid character '\n' in string literal

  on main.tf line 61, in resource "vault_generic_secret" "vault_secret_kvv2_new":
  61: resource "vault_generic_secret" "vault_secret_kvv2_new" {

Kevin

jason_k_england · April 19, 2022, 3:06pm

did you ever figure this out?

maxb · April 20, 2022, 8:43am

I believe the problem with the earlier example is that it’s trying to incorporate a whole kubeconfig document into a JSON string without encoding, using just string interpolation.

I think something like:

  data_json = jsonencode({foo = data.local_file.input.content})

ought to work.

jason_k_england · April 20, 2022, 2:43pm

I have been attemtping jsondecode but I get a different error

│ Error: Error in function call
│
│ on main.tf line 11, in resource “vault_generic_secret” “main”:
│ 11: data_json = jsondecode(azurerm_kubernetes_cluster.main.kube_config_raw)
│ ├────────────────
│ │ azurerm_kubernetes_cluster.main.kube_config_raw has a sensitive value
│
│ Call to function “jsondecode” failed: invalid character ‘a’ looking for
│ beginning of value.

maxb · April 20, 2022, 5:17pm

There are two ways in which what you’re trying doesn’t match what I posted:

jsonencode, not jsondecode
You do need to wrap the string kubeconfig in a object/dictionary: {some_key_name_doesnt_matter_what_you_decide = literal_kubeconfig_string_value}

jason_k_england · April 21, 2022, 1:16am

Here is the fix that worked for me, not totally related to the OP but it might be helpful for those having similar issues.

For anyone looking for help on this down the line, here is the resolution

resource “vault_generic_secret” “main” {

path = “kv/mynamespace”

data_json = jsonencode(yamldecode("${azurerm_kubernetes_cluster.main.kube_config_raw}"))

}

maxb · April 21, 2022, 12:12pm

If you do it this way, you’re taking your YAML kubeconfig, and turning it into parsed JSON, and storing that in Vault.

This may be fine for your use-case, but technically it’s lossy, if you cared about preserving comments or other YAML features not supported in JSON.

Topic		Replies	Views
Need to output usable kubeconfig with terraform azrm provider Azure	3	921	April 21, 2022
Using terraform to create vault_kv_secret resources results in json_data stored in a single key Vault kv	3	1631	July 23, 2022
Vault_generic_secret and variables in json? Terraform	3	4820	September 23, 2021
Terraform String Encode HCL Configuration as String Terraform k8s , vault	6	1071	February 28, 2023
Registring a service requires explicit token in config file Terraform vault	2	249	September 22, 2023

Save kubeconfig yaml to vault via terraform

Related topics