Default docker container configuration for secrets to work

[garca7]

(edited to correct port numbers and response)

Hello, KeyVault newbie here. I'm struggling getting the lowkeyvault container to accept secrets. The following post

PUT https://localhost:8443/secrets/XXXXXXXXXXX?api-version=7.4
Content-Type: application/json
Accept: application/json

{
"value":"YYYYYYY",
"attributes":{}
}

fails with a

HTTP/1.1 401
WWW-Authenticate: Bearer resource="https://localhost:8443", authorization_uri="https://localhost:8443/secrets/9e6bf9471a94be5460c98164b080fe694df72caba57aee05b3b589605d955584"
Content-Length: 0
Date: Mon, 23 Sep 2024 12:19:59 GMT

Response code: 401; Time: 136ms (136 ms); Content length: 0 bytes (0 B)

What not seems reasonable, is that the endpoint https://localhost:8443/api/swagger-ui/swagger-ui/index.html is not showing any /secrets entry, which likely is the source of the problem.

I'm starting the container with these arguments (BTW, in spite of the LOWKEY_DEBUG_REQUEST_LOG setting, I don't have any detailed traces in the container logs):

services:
  lowkey-vault:
    container_name: my-lowkey-vault
    image: nagyesta/lowkey-vault:2.4.141@sha256:c55abcebf0ef410cc5fb4fa742b686cca7b818ef49597ccd1319ece0b438d4b1
    ports:
      - "8443:8443"
      - "8442:8080"
    volumes:
      - ./keyvault/config/:/config:ro
    environment:
      LOWKEY_ARGS: >
        --server.ssl.key-store-type=JKS 
        --server.ssl.key-store=/config/cert.pkcs12 
        --server.ssl.key-store-password=ZZZZZZZ
        --LOWKEY_DEBUG_REQUEST_LOG=true 
        --LOWKEY_IMPORT_LOCATION=/import/keyvault.json.hbs 
        --LOWKEY_IMPORT_TEMPLATE_HOST=localhost 
        --LOWKEY_IMPORT_TEMPLATE_PORT=8443

Any ideas?

[garca7]

Answering myself... the endpoint expects an authentication in the header that is missing.
However, the LOWKEY_DEBUG_REQUEST_LOG is still not producing any details in the docker console.
And maybe is there, but I cannot find in the documentation how to add the container SSL certificate to the client JVM trusted certtificate list.

[nagyesta]

Hi @garca7 ,
thank you for using Lowkey Vault and apologies for the slow response. I didn't see your thread while I was at work.

You are right about the missing header, adding it should do the trick.

Regarding the certificates, I would suggest to please check out these wiki pages:
https://github.com/nagyesta/lowkey-vault/wiki/Example:-How-can-you-use-Lowkey-Vault-in-your-tests
https://github.com/nagyesta/lowkey-vault/wiki/Example:-Using-a-custom-certificate-with-Lowkey-Vault

Also, please make sure to check these example repositories showing how to use Lowkey Vault with the official Azure clients including the certificate configs: https://github.com/nagyesta/lowkey-vault/wiki/Example:-How-can-you-use-Lowkey-Vault-in-your-tests#examples

Also, checked the --LOWKEY_DEBUG_REQUEST_LOG=true parameter and it appears to be working for me. You can expect similar log messages as the examples below:

lowkey-vault-go  | 15:33:12.122 DEBUG [io-8443-exec-10] o.s.w.f.CommonsRequestLoggingFilter      : Before request [POST /keys/rsa-key/cb501010590f483098547a941721426a/encrypt?api-version=7.5, client=172.21.0.1]
lowkey-vault-go  | 15:33:12.124  INFO [io-8443-exec-10] c.g.n.l.c.c.CommonKeyCryptoController    : Received request to https://localhost:8443 encrypt using key: rsa-key with version: cb501010590f483098547a941721426a using API version: 7.5
lowkey-vault-go  | 15:33:12.130 DEBUG [io-8443-exec-10] o.s.w.f.CommonsRequestLoggingFilter      : After request [POST /keys/rsa-key/cb501010590f483098547a941721426a/encrypt?api-version=7.5, client=172.21.0.1, payload={"alg":"RSA-OAEP-256","value":"YSBzZWNyZXQgbWVzc2FnZQ"}]
lowkey-vault-go  | 15:33:12.131  INFO [nio-8443-exec-1] c.g.n.l.filter.CommonAuthHeaderFilter    : Sending token to client without processing payload: /keys/rsa-key/
lowkey-vault-go  | 15:33:12.132 DEBUG [nio-8443-exec-2] o.s.w.f.CommonsRequestLoggingFilter      : Before request [GET /keys/rsa-key/?api-version=7.5, client=172.21.0.1]

Please let me know in case further assistance is needed!

Best of luck!