Not decodeing Base64 encoded PK12 kubernetes.io/tls secret from Hashicorp Vault #1699
Description
What steps did you take and what happened:
I created a secret provider class here:
- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
name: phpipam-pz-helm-phpipam-tls-cert
namespace: phpipam
spec:
parameters:
objects: "- objectName: \"cert\"\n secretPath: \"kv/prod/cert/ipam.pz.lan/cert\"\n
\ secretKey: \"cert\"\n content: \n- objectName: \"key\"\n secretPath: \"kv/prod/cert/ipam.pz.lan/key\"\n
\ secretKey: \"cert\"\n content: \n- objectName: \"pks12\"\n secretPath:
\"kv/prod/cert/ipam.pz.lan/pks12\"\n secretKey: \"pks12\"\n content:
\"base64\"\n"
roleName: kube-core-role
vaultAddress: https://vault.pz.lan:8200
vaultAuthMountPath: kube-core
provider: vault
secretObjects:
- data:
- key: tls.crt
objectName: pks12
- key: tls.key
objectName: pks12
secretName: ipam.pz.lan-tls
type: kubernetes.io/tlsI created a deployment:
volumeMounts:
- mountPath: /mnt/secrets-store
name: secrets-store-inline
readOnly: true
volumes:
- csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: phpipam-pz-helm-phpipam-tls-cert
name: secrets-store-inlineI get a pod error:
Warning FailedToCreateSecret 0s (x12 over 10s) csi-secrets-store-controller failed to get data in spc phpipam/phpipam-pz-helm-phpipam-tls-cert for secret ipam.pz.lan-tls, err: failed to get cert data from file /var/lib/kubelet/pods/bf544c8a-7804-4976-ba6f-614177cab8fa/volumes/kubernetes.io~csi/secrets-store-inline/mount/..data/pks12, err: pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2 Warning FailedToCreateSecret 0s (x12 over 10s) csi-secrets-store-controller failed to get data in spc phpipam/phpipam-pz-helm-phpipam-tls-cert for secret ipam.pz.lan-tls, err: failed to get cert data from file /var/lib/kubelet/pods/bf544c8a-7804-4976-ba6f-614177cab8fa/volumes/kubernetes.io~csi/secrets-store-inline/mount/..data/pks12, err: pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2 Warning FailedToCreateSecret 0s (x12 over 10s) csi-secrets-store-controller failed to get data in spc phpipam/phpipam-pz-helm-phpipam-tls-cert for secret ipam.pz.lan-tls, err: failed to get cert data from file /var/lib/kubelet/pods/bf544c8a-7804-4976-ba6f-614177cab8fa/volumes/kubernetes.io~csi/secrets-store-inline/mount/..data/pks12, err: pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2
I checked the file in /var/lib/kubelet/pods/bf544c8a-7804-4976-ba6f-614177cab8fa/volumes/kubernetes.io~csi/secrets-store-inline/mount/..data/pks12 and it is populated with my PK12 in Base64 format.
What did you expect to happen:
I was expecting the driver to decode base64 before looking at the PK12 file.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Which provider are you using:
HashiCorp Vault, I've searched their issues tracker and having found anything of use.
Environment:
-
Secrets Store CSI Driver version: (use the image tag):
secrets-store-csi-driver-1.4.6 -
Kubernetes version: (use
kubectl version):
Client Version: v1.31.3
Kustomize Version: v5.4.2
Server Version: v1.31.3