Home > OS >  sourcing vault secrets file with lifecycle.postStart and readinessProbe
sourcing vault secrets file with lifecycle.postStart and readinessProbe

Time:07-20

I am trying to source a file from /vault/secrets/cloudquery which contains data that looks like this:

export MYSECRET="REDACTED"

I have tried a ton of different things to source the vault secrets file when my pod starts up, but when I shell into the pod, I don't see the env variables set. Can anyone point out what I'm doing wrong? Thank you!!

apiVersion: apps/v1
kind: Deployment
  ...
spec:
  ...
  template:
    metadata:
    ...
      annotations:
        vault.hashicorp.com/role: default
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-inject-secret-cloudquery: "path/to/mysecret"
        vault.hashicorp.com/agent-inject-template-cloudquery: |
          {{ with secret "path/to/mysecret" -}}
            export MYSECRET="{{ .Data.MYSECRET }}"
          {{- end }}
    spec:
      containers:
        - name: cloudquery
          ...
          readinessProbe:
            exec:
              command: [ "/bin/sh", "-c", "test -e /vault/secrets/cloudquery" ]
            initialDelaySeconds: 30
            periodSeconds: 30
            timeoutSeconds: 10
            failureThreshold: 5
          lifecycle:
            postStart:
              exec:
                command:
                  - "/bin/sh"
                  - "-c"
                  - "source /vault/secrets/cloudquery"
...

CodePudding user response:

You can convert data inside your vault to json and use like below:

  annotations:
    ...
    vault.hashicorp.com/agent-inject-secret-cloudquery: "path/to/mysecret"
    vault.hashicorp.com/agent-inject-template-cloudquery-config: |
      {{ with secret "path/to/mysecret" }}{{ range $k, $v := .Data.data }}
         export {{ $k }}='{{ $v }}'{{ end }}
      {{ end }}

CodePudding user response:

I realized I am braindead today and that env vars that get export ran on them only exist within the shell they are run in, so when I shell into the pod, I'm not seeing the vars because I'm in a new shell. Going to approach this a different way. Thanks!

CodePudding user response:

You can do something like this if looking forward to inject the environment with POD startup

annotations:
        vault.hashicorp.com/agent-image: <Agent image>
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-secrets: kv/<Path-of-secret>
        vault.hashicorp.com/agent-inject-template-secrets: |2

          {{- with secret "kv/<Path-of-secret>" -}}

          #!/bin/sh
          set -e

          {{- range $key, $value := .Data.data }}
          export {{ $key }}={{ $value }}
          {{- end }}

          exec "$@"
          {{- end }}
        vault.hashicorp.com/auth-path: auth/<K8s cluster for auth>
        vault.hashicorp.com/role: app

This will create the file inside your POD.

Inside your Docker file if you are simply running an application CMD ["node", "index.js"] instead change CMD to running the CMD ["npm", "start"].

Docker/Container will get start the main shell script and it will set all env into OS first. Once all Env is set to shell script will start the application.

package.json

"start": "./path-to-shscript-in-docker/runapp",

runapp

#!/bin/bash
if [ -f '/vault/secrets/secrets' ]; then
  source '/vault/secrets/secrets'
fi
node <path-insnide-docker>/index.js 

The issue with the lifecycle hook is that there is no guarantee, so it would be better to call the source before the app start.

  • Related