What I would like to achieve is to retrieve a PEM certificate stored in Vault and configure it inside an application.yml file correctly so the SpringBoot app can read it.
This is a working sample (with the certificate truncated):
spring:
application:
name: question
ssl:
bundle:
pem:
mycoolclient:
keystore:
certificate: |
-----BEGIN CERTIFICATE-----
MIIIejCCBmKgAwIBAgITHwABidhlrwxTyZMzlQAFAAGJ2DANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGbnZpZGlh
[...]
COsXwzNuSV9fViHbG4ou806yN5ePdnV3Z9fVD+/IXEQLNTsaG+WWS6ThJNUqvtu0
HrmoOOInM7rZWlsmhWIKHjcZ1RHnlayo7tLRw/HuM+2ZlRAf4uLBR52YdGBYDukh
Sd4wRnobbk5zJSLbTVs=
-----END CERTIFICATE-----
The YML, configured like this, has a correct syntax.
The springboot app understands this, and as proof, the app starts correctly, and able to use this property alongside the value.
I am now adding the exact same certificate inside Vault, by doing the following:
cat file.cert|vault kv put -mount=path/to/kv cert cert=-
When I retrieve from Vault, I do see the same content:
vault kv get -field=cert -mount=path/to/kv cert
This will print me:
-----BEGIN CERTIFICATE-----
MIIIejCCBmKgAwIBAgITHwABidhlrwxTyZMzlQAFAAGJ2DANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGbnZpZGlh
[...]
COsXwzNuSV9fViHbG4ou806yN5ePdnV3Z9fVD+/IXEQLNTsaG+WWS6ThJNUqvtu0
HrmoOOInM7rZWlsmhWIKHjcZ1RHnlayo7tLRw/HuM+2ZlRAf4uLBR52YdGBYDukh
Sd4wRnobbk5zJSLbTVs=
-----END CERTIFICATE-----
Now, to configure the injection from Vault to the file, I am using Vault Agent Template, following this
{{- with secret "path/to/kv/cert" }}
spring:
application:
name: question
ssl:
bundle:
pem:
mycoolclient:
keystore:
certificate: |
{{.Data.data.cert}}
{{- end }}
However, I am getting this error:
11:53:38.788 [main] ERROR .springframework.boot.SpringApplication -- Application run failed
.yaml.snakeyaml.scanner.ScannerException: while scanning a simple key
in 'reader', line 14, column 1:
MIIIejCCBmKgAwIBAgITHwABidhlrwxT ...
^
could not find expected ':'
in 'reader', line 15, column 1:
ADBEMRMwEQYKCZImiZPyLGQBGRYDY29t ...
^
at .yaml.snakeyaml.scanner.ScannerImpl.stalePossibleSimpleKeys(ScannerImpl.java:502)
at .yaml.snakeyaml.scanner.ScannerImpl.needMoreTokens(ScannerImpl.java:307)
at .yaml.snakeyaml.scanner.ScannerImpl.checkToken(ScannerImpl.java:237)
at .yaml.snakeyaml.parser.ParserImpl$ParseBlockMappingKey.produce(ParserImpl.java:637)
at .yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:161)
at .yaml.snakeyamlments.CommentEventsCollector$1.peek(CommentEventsCollector.java:57)
It seems the template can retrieve the value stored inside Vault.
It is also managing to place the first line -----BEGIN CERTIFICATE----- correctly inside the yml.
However, the rest of the certificate seems to be not properly indented, leading to this issue.
Question:
How to properly configure the template to retrieve the certificate correctly so it can be passed correctly to the YML file?