Use vault kv put instead of patch when modifying secrets
As per gitlab-com/gl-infra/production#9094 (comment 1364739346) using vault kv patch
was having unintended consequences where the secret wasn't being updated with the expected structure, since patch was only adding the diff between the files, but wasn't removing the secrets from the old structure.
Using vault kv put
instead is desirable so the new secret version is updated using the entire json value of the modified secret, and not just the diff.
Test with vault kv patch
:
➜ runbooks git:(mchacon-vault-get-secret) ./bin/vault show-secret chef env/db-benchmarking/shared/test-secret
{
"favorite-things": {
"animal": "dog",
"car": "tesla",
"color": "blue",
"food": "pizza",
"place": "san francisco"
},
"password": "foopass",
"user": "foo"
}
➜ runbooks git:(mchacon-vault-get-secret) ./bin/vault edit-secret chef env/db-benchmarking/shared/test-secret
Retrieving secret from Vault
Checking file is valid json
Creating new env/db-benchmarking/shared/test-secret version in Vault
================== Secret Path ==================
chef/data/env/db-benchmarking/shared/test-secret
======= Metadata =======
Key Value
--- -----
created_time 2023-04-25T13:14:51.532720345Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 14
Updated secret:
{
"database": {
"password": "foopass",
"user": "foo"
},
"favorite-things": {
"animal": "dog",
"car": "tesla",
"color": "blue",
"food": "pizza",
"place": "san francisco"
},
"password": "foopass",
"user": "foo"
}
Test while using vault kv put
:
➜ runbooks git:(mchacon-vault-get-secret) ✗ ./bin/vault edit-secret chef env/db-benchmarking/shared/test-secret
Retrieving secret from Vault
Checking file is valid json
Creating new env/db-benchmarking/shared/test-secret version in Vault
================== Secret Path ==================
chef/data/env/db-benchmarking/shared/test-secret
======= Metadata =======
Key Value
--- -----
created_time 2023-04-25T13:17:08.936880703Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 15
Updated secret:
{
"database": {
"password": "foopass",
"user": "foo"
},
"favorite-things": {
"animal": "dog",
"car": "tesla",
"color": "blue",
"food": "pizza",
"place": "san francisco"
}
}
We can now see the user and password being removed.
Edited by Marcel Chacon