Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent injecting binary secrets #680

Open
olivergondza opened this issue Nov 22, 2024 · 0 comments
Open

Prevent injecting binary secrets #680

olivergondza opened this issue Nov 22, 2024 · 0 comments

Comments

@olivergondza
Copy link

olivergondza commented Nov 22, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

When data injected from vault are binary, they mess with the syntax of the file they are injected to. The plugin fails with an error that does not quite point out the problem (ex.: "Error: ToYAML: could not export Secret into YAML: error converting JSON to YAML: yaml: control characters are not allowed").

Passing in --verbose-sensitive-output might be cumbersome and unsafe in production.

Describe the solution you'd like

Provided AVP replaces placeholders in plain text files, injecting binary content is an error in all cases. Error out in case the placeholder resolves into a binary content.

Describe alternatives you've considered

  • Keep as is and confuse/frustrate users.
  • Do not error, just print warning - easy to overlook, still breaks a little later.
  • Provide a CLI option if this behavior is better implemented as opt-in/opt-out.

Additional context

Used as ArgoCD plugin: kustomize build . | argocd-vault-plugin generate -.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@olivergondza