I have created some secrets in vault, and I'm passing the variables as below. But the secrets are not fetched.
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-vault-addr: 'https://vaultadd.com'
vault.hashicorp.com/auth-type: 'approle'
vault.hashicorp.com/auth-path: 'auth/approle'
vault.hashicorp.com/auth-config-role-id-file-path: '/vault/custom/role-id'
vault.hashicorp.com/auth-config-secret-id-file-path: '/vault/custom/secret-id'
vault.hashicorp.com/agent-extra-secret: 'mysecret'
vault.hashicorp.com/role: 'myrole'
vault.hashicorp.com/auth-config-remove_secret_id_file_after_reading: 'false'
vault.hashicorp.com/log-level: 'debug'
vault.hashicorp.com/agent-inject-secret-MY-SECRET: 'secret/mysecret/secrets'
vault.hashicorp.com/agent-inject-template-MY-SECRET: |
{{ with secret "secret/mysecret/secrets" -}}
export username={{ .Data.username}}
export password={{ .Data.password }}
{{- end }}
And in Args I have mentioned below
args:
["sh", "-c", "source /vault/secrets/config && MY_ENTRYPOINT"]
CodePudding user response:
Kindly use environment variable annotation instead of file template annotation.
Please change the annotation as below
vault.hashicorp.com/agent-inject-secret-config: 'secret/mysecret/secrets'
vault.hashicorp.com/agent-inject-template-config: |
{{ with secret "secret/mysecret/secrets" -}}
export username={{ .Data.username}}
export password={{ .Data.password }}
{{- end }}
CodePudding user response:
The Kubernetes API typically runs on the master nodes, and the Vault Agent injector on a worker node in a Kubernetes cluster.
The example demonstrates how templates can be used to create environment variables. A template should be created that exports a Vault secret as an environment variable and the application container should source those files during startup.
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
labels:
app: web
spec:
replicas: 1
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'web'
vault.hashicorp.com/agent-inject-secret-config: 'secret/data/web'
# Environment variable export template
vault.hashicorp.com/agent-inject-template-config: |
{{ with secret "secret/data/web" -}}
export api_key="{{ .Data.data.payments_api_key }}"
{{- end }}
spec:
serviceAccountName: web
containers:
- name: web
image: alpine:latest
args:
['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']
ports:
- containerPort: 9090
Before applying Vault Agent injection annotations to pods, the following requirements should be satisfied.
1.The Kubernetes API can connect to the Vault Agent injector service on port 443, and the injector can connect to the Kubernetes API
2.Vault can connect to the Kubernetes API
3.Pods in the Kubernetes cluster can connect to Vault.