Feature Request: Generate Secret if it does not exist

[victorgetz]

First of all thanks for your amazing work.

Description:

What i would propose is a feature which can automatically create the a secret if it does not exist.
With a identifier (for example generate@...) the webhook will now that it should take a look if the secret exists.
If it exists just take it. If not autogenerate a password/certificate.

What problem does it solve
Inside my helm chart i would like to be able to define everything for my service. At the moment we need somehow to create the secret upfront. In our case we create it upfront with terraform.

I need 2 steps to use my secret with two different technologies inside two different repositories.

Lets demonstrate it based on prometheus helm chart and admin credentials.

Example (Current):

Terraform

resource "random_password" "grafana_admin_pw" {
  length  = 32
  special = true
}

resource "vault_generic_secret" "grafana_admin_credentials" {
  path         = "kvEngine/prod/grafana"
  disable_read = false
  data_json = jsonencode({
    admin_password       = random_password.grafana_admin_pw.result
  })
}

Helm Chart

grafana:
  adminPassword: "vault:/kvEngine/prod/grafana#admin_password"

Example (Solution):

Helm Chart

grafana:
  adminPassword: "generate@vault:/kvEngine/prod/grafana#admin_password"

There is a topic about Write a value into Vault
but this one does not work with KV Engine and is really complicated.

[e-desouza]

There is a topic about Write a value into Vault
but this one does not work with KV Engine and is really complicated.

Through trial and error I found a way to write to kv (assuming role, auth and sa is set correctly):

envName : '>>vault:secret/data/test/app#TEST_ACCESS_KEY_ID#{"data":{"TEST_ACCESS_KEY_ID": "42"}}'

or

envName : '>>vault:secret/data/test/app##{"data":{"TEST_ACCESS_KEY_ID": "42"}}'

The issue is that the webhook will log an error in the pod with that env about the path not existing but it does indeed write to Vault as can be tested via cli with kv get to that path. I think fixing that incorrect error in the webhook is a good first step, though I would like an inbuilt generate if none exists feature too.

[ramizpolic]

Thank you for the submission @victorgetz! I can see how this could be a useful feature.

To enable customised secret generation, it would require two things:

• enable silencing not-found error in https://github.com/bank-vaults/vault-secrets-webhook when we are providing the default value ourselves. Thanks @e-desouza for raising this.
• extending the relevant components in injector from https://github.com/bank-vaults/internal when we are passing additional data (generate struct in the example)

This way, we would be able to preserve the same syntax and interface, whilst also allowing us to:

1. Provide default secret value myself

envName : '>>vault:secret/data/test/app#TEST_ACCESS_KEY_ID#{"data":{"TEST_ACCESS_KEY_ID": "42"}}'

In case this secret is not found in Vault, it would be created with TEST_ACCESS_KEY_ID=42.
This is supported, but needs to be verified and tested.

2. Provide the configuration to generate secret value

envName : '>>vault:secret/data/test/app#TEST_ACCESS_KEY_ID#{"generate":{"special": true, "length": 10}}'

In case this secret is not found in Vault, it would be created with TEST_ACCESS_KEY_ID=<SomeRandom10CharString>
Note that we have additional settings passed which can control how to generate the secret (e.g. generate a private key option). This needs to be implemented.

I am not sure when we will be able to add this feature to our backlog, but it is definitely on our radar. In the meantime, feel free to add more suggestions/concerns/contributions regarding this feature.

[e-desouza]

Hello @ramizpolic, is there any possibility of getting this feature in 1H'24?