Home > Software design >  Hashicorp vault secrets not fetched in kubernetes
Hashicorp vault secrets not fetched in kubernetes

Time:07-26

I have created some secrets in vault, and I'm passing the variables as below. But the secrets are not fetched.

annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-vault-addr: 'https://vaultadd.com'
        vault.hashicorp.com/auth-type: 'approle'
        vault.hashicorp.com/auth-path: 'auth/approle'
        vault.hashicorp.com/auth-config-role-id-file-path: '/vault/custom/role-id'
        vault.hashicorp.com/auth-config-secret-id-file-path: '/vault/custom/secret-id'
        vault.hashicorp.com/agent-extra-secret: 'mysecret'
        vault.hashicorp.com/role: 'myrole'
        vault.hashicorp.com/auth-config-remove_secret_id_file_after_reading: 'false'
        vault.hashicorp.com/log-level: 'debug'
        vault.hashicorp.com/agent-inject-secret-MY-SECRET: 'secret/mysecret/secrets'
        vault.hashicorp.com/agent-inject-template-MY-SECRET: |
             {{ with secret "secret/mysecret/secrets" -}}
               export username={{ .Data.username}}
               export password={{ .Data.password }}
             {{- end }}

And in Args I have mentioned below

args:
            ["sh", "-c", "source /vault/secrets/config && MY_ENTRYPOINT"]

CodePudding user response:

Kindly use environment variable annotation instead of file template annotation.

Please change the annotation as below

vault.hashicorp.com/agent-inject-secret-config: 'secret/mysecret/secrets'
vault.hashicorp.com/agent-inject-template-config: |
             {{ with secret "secret/mysecret/secrets" -}}
               export username={{ .Data.username}}
               export password={{ .Data.password }}
             {{- end }}

CodePudding user response:

The Kubernetes API typically runs on the master nodes, and the Vault Agent injector on a worker node in a Kubernetes cluster.

The example demonstrates how templates can be used to create environment variables. A template should be created that exports a Vault secret as an environment variable and the application container should source those files during startup.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-deployment
  labels:
    app: web
spec:
  replicas: 1
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/role: 'web'
        vault.hashicorp.com/agent-inject-secret-config: 'secret/data/web'
        # Environment variable export template
        vault.hashicorp.com/agent-inject-template-config: |
          {{ with secret "secret/data/web" -}}
            export api_key="{{ .Data.data.payments_api_key }}"
          {{- end }}
    spec:
      serviceAccountName: web
      containers:
        - name: web
          image: alpine:latest
          args:
            ['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']
          ports:
            - containerPort: 9090

Before applying Vault Agent injection annotations to pods, the following requirements should be satisfied.

1.The Kubernetes API can connect to the Vault Agent injector service on port 443, and the injector can connect to the Kubernetes API

2.Vault can connect to the Kubernetes API

3.Pods in the Kubernetes cluster can connect to Vault.

  • Related