使用Helmfile和证书（多行秘密）的Helm-Screts Vault驱动程序

发布于 2025-02-03 14:43:54 字数 842 浏览 3 评论 0原文

我们正在与金库驱动程序一起使用舵手销售，从我们的Hashicorp库中获取秘密。最重要的是，我们正在使用Helmfile。我的问题是要正确处理多行秘密（例如证书）。

我有秘密。yaml文件如下：

db:
  clientCert: !vault secret/certs#clientCert

但是，这给了我错误将yaml转换为json：yaml：第2行：找不到预期的

错误YAML获得证书是这样的：

db:
  clientCert: -----BEGIN CERTIFICATE-----
blablabla
balbalblalb
balblablbbal
-----END CERTIFICATE-----

我知道我在放入证书时需要管道，所以这样做是这样的：

db:
  clientCert: |
    -----BEGIN CERTIFICATE-----
    blablabla
    balbalblalb
    balblablbbal
    -----END CERTIFICATE-----

为此，我想做这样的事情：

db:
  clientCert: |
    !vault secret/certs#clientCert

但是，这是不起作用的，并给了我<代码>错误将YAML转换为JSON：YAML：未知锚'Helm-Secret-secret_certs_clientcert'引用

我在做什么错？如何正确地将Multiline证书正确地转到秘密文件中？

我希望这对某人有意义。

原文

We are using helm-secrets with the vault driver to get secrets from our hashicorp vault. On top of that we are using helmfile. The problem I have is to get the multi row secrets (such as certificates) to be handled correctly.

I have the secrets.yaml file as follows:

db:
  clientCert: !vault secret/certs#clientCert

But that gives me the error of Error converting YAML to JSON: yaml: line 2: could not find expected ':'

I assume this is is because the resulting yaml when getting the cert is like this:

db:
  clientCert: -----BEGIN CERTIFICATE-----
blablabla
balbalblalb
balblablbbal
-----END CERTIFICATE-----

I understand that I need the pipe when putting in the cert so it would be like this:

db:
  clientCert: |
    -----BEGIN CERTIFICATE-----
    blablabla
    balbalblalb
    balblablbbal
    -----END CERTIFICATE-----

So to do this I would like to do something like this:

db:
  clientCert: |
    !vault secret/certs#clientCert

But that does not work and gives me Error converting YAML to JSON: yaml: unknown anchor 'helm-secret-secret_certs_clientCert' referenced

What am I doing wrong? How can I get the multiline certificate from vault into the secrets file correctly?

I hope this makes sense to some one.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

思慕 2025-02-10 14:43:54

诀窍是base64编码您的多行字符串，使其成为一行。例如，假设我想

cat test-key.pem
-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
-----END RSA PRIVATE KEY-----

通过运行以下命令从以下PEM文件中插入一个秘密，可以使用kubectl。

kubectl create secret generic test-secret --from-file=test-key.pem --dry-run=client -o yaml
apiVersion: v1
data:
  test-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkIKQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQwotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: null
  name: test-secret

请注意kubectl如何自动编码分泌物，并成为一行。如果我们愿意，我们可以扭转这一点。

 echo "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkIKQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQwotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" |base64 -d
-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
-----END RSA PRIVATE KEY-----

要解决问题，请确保您在模板中编码秘密，可以使用b64enc helm函数来完成此操作。您可以在此上阅读更多在这里

The trick is to base64 encode your multi-line string so it becomes one line. For example, suppose I want to crate a secret from the following PEM file

cat test-key.pem
-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
-----END RSA PRIVATE KEY-----

I can do so with kubectl by running the following command.

kubectl create secret generic test-secret --from-file=test-key.pem --dry-run=client -o yaml
apiVersion: v1
data:
  test-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkIKQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQwotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: null
  name: test-secret

Notice how kubectl automatically encodes the secrete and it becomes one line. If we want we can reverse that.

 echo "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkIKQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQwotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" |base64 -d
-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
-----END RSA PRIVATE KEY-----

To address your problem make sure you encode the secret in your template, you can do this with b64enc helm function. You can read a bit more on this here

回复收藏 0 原文

~没有更多了~