Home > OS >  Is it possible to update key/pair vault value from pod?
Is it possible to update key/pair vault value from pod?

Time:10-06

I'm contemplating using Hashicorp vault in my Kubernetes, to store some dynamic secrets. I did find out that I can set the sidecar injector to periodically retrieve the secret and app can look for file changes etc... all fine.

But after solid research, I could not find out how to update the key/pair from scheduled job in Kubernetes. Basically I need to run container than do some magic and retrieve new token, and then updates the vault pair. With kv commands, or somehow... bonus point if I do not have to use any API keys, just service account same like for reading the values.

Assuming the vault is running on Kubernetes where the pods will be.

CodePudding user response:

You can use the http API to interact with the vault.

Given the assumption that your service account has permission to update the secret, you could run a container with a small script.

#!/bin/sh

set -eu

# get the mounted service account token
token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"

# update the secret using curl
curl \
    --header "X-Vault-Token: $token" \
    --header "Content-Type: application/merge-patch json" \
    --request PATCH \
    --data @/path/to/payload.json \
    "$VAULT_ADDR/v1/secret/data/my-secret"

You need to tell your cronjob it should use the service account with the permissions, of course.

This could look roughly like this. It's probably better practice to build a custom image. I am mounting the script just for demo purposes.

---
apiVersion: batch/v1
kind: Job
metadata:
  name: patch-secret
spec:
  ttlSecondsAfterFinished: 100
  template:
    spec:
      serviceAccount: my-service-account
      restartPolicy: Never
      containers:
        - name: patcher
          image: index.docker.io/bluebrown/netutils
          command: [sh, "-e", "/opt/my-org/update-secret.sh"]
          volumeMounts:
            - name: scripts
              mountPath: /opt/my-org
      volumes:
        - name: scripts
          configMap:
            name: patch-secret-scripts
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: patch-secret-scripts
data:
  update-secret.sh: |
    token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
    curl \
        --header "X-Vault-Token: $token" \
        --header "Content-Type: application/merge-patch json" \
        --request PATCH \
        --data @/path/to/payload.json \
        "$VAULT_ADDR/v1/secret/data/my-secret"

You need to know where the payload is coming from. I left that part out in the example.

Page link:https//www.codepudding.com/os/567061.html

Prev:Integration testing with Testcontainers/Localstack and Spring Boot: Set directory for temporary file
Next:How to import an external file on k8 Manifest
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding