I'm contemplating using Hashicorp vault in my Kubernetes, to store some dynamic secrets. I did find out that I can set the sidecar injector to periodically retrieve the secret and app can look for file changes etc... all fine.
But after solid research, I could not find out how to update the key/pair from scheduled job in Kubernetes. Basically I need to run container than do some magic and retrieve new token, and then updates the vault pair. With kv commands, or somehow... bonus point if I do not have to use any API keys, just service account same like for reading the values.
Assuming the vault is running on Kubernetes where the pods will be.
CodePudding user response:
You can use the http API to interact with the vault.
Given the assumption that your service account has permission to update the secret, you could run a container with a small script.
#!/bin/sh
set -eu
# get the mounted service account token
token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
# update the secret using curl
curl \
--header "X-Vault-Token: $token" \
--header "Content-Type: application/merge-patch json" \
--request PATCH \
--data @/path/to/payload.json \
"$VAULT_ADDR/v1/secret/data/my-secret"
You need to tell your cronjob it should use the service account with the permissions, of course.
This could look roughly like this. It's probably better practice to build a custom image. I am mounting the script just for demo purposes.
---
apiVersion: batch/v1
kind: Job
metadata:
name: patch-secret
spec:
ttlSecondsAfterFinished: 100
template:
spec:
serviceAccount: my-service-account
restartPolicy: Never
containers:
- name: patcher
image: index.docker.io/bluebrown/netutils
command: [sh, "-e", "/opt/my-org/update-secret.sh"]
volumeMounts:
- name: scripts
mountPath: /opt/my-org
volumes:
- name: scripts
configMap:
name: patch-secret-scripts
---
apiVersion: v1
kind: ConfigMap
metadata:
name: patch-secret-scripts
data:
update-secret.sh: |
token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
curl \
--header "X-Vault-Token: $token" \
--header "Content-Type: application/merge-patch json" \
--request PATCH \
--data @/path/to/payload.json \
"$VAULT_ADDR/v1/secret/data/my-secret"
You need to know where the payload is coming from. I left that part out in the example.