Helm-secrets vault driver with helmfile and certificates (multi row secrets)

Question

We are using helm-secrets with the vault driver to get secrets from our hashicorp vault. On top of that we are using helmfile. The problem I have is to get the multi row secrets (such as certificates) to be handled correctly.

I have the secrets.yaml file as follows:

db:
  clientCert: !vault secret/certs#clientCert

But that gives me the error of Error converting YAML to JSON: yaml: line 2: could not find expected ':'

I assume this is is because the resulting yaml when getting the cert is like this:

db:
  clientCert: -----BEGIN CERTIFICATE-----
blablabla
balbalblalb
balblablbbal
-----END CERTIFICATE-----

I understand that I need the pipe when putting in the cert so it would be like this:

db:
  clientCert: |
    -----BEGIN CERTIFICATE-----
    blablabla
    balbalblalb
    balblablbbal
    -----END CERTIFICATE-----

So to do this I would like to do something like this:

db:
  clientCert: |
    !vault secret/certs#clientCert

But that does not work and gives me Error converting YAML to JSON: yaml: unknown anchor 'helm-secret-secret_certs_clientCert' referenced

What am I doing wrong? How can I get the multiline certificate from vault into the secrets file correctly?

I hope this makes sense to some one.

Answer 1

The trick is to base64 encode your multi-line string so it becomes one line. For example, suppose I want to crate a secret from the following PEM file

cat test-key.pem
-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
-----END RSA PRIVATE KEY-----

I can do so with kubectl by running the following command.

kubectl create secret generic test-secret --from-file=test-key.pem --dry-run=client -o yaml
apiVersion: v1
data:
  test-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkIKQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQwotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: null
  name: test-secret

Notice how kubectl automatically encodes the secrete and it becomes one line. If we want we can reverse that.

 echo "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkIKQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQwotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" |base64 -d
-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
-----END RSA PRIVATE KEY-----

To address your problem make sure you encode the secret in your template, you can do this with b64enc helm function. You can read a bit more on this here