1

I'm using external vault with kubernetes and i want all my secrets be either in pod env or in kubernetes secrets. I tried to use

apiVersion: apps/v1
kind: Deployment
metadata:
  name: orgchart
  labels:
    app: orgchart
spec:
  selector:
    matchLabels:
      app: orgchart
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "devwebapp"
        vault.hashicorp.com/agent-inject-secret-config: "kv/secret/devwebapp/config"
        # Environment variable export template
        vault.hashicorp.com/agent-inject-template-config: |
          {{ with secret "kv/secret/devwebapp/config" -}}
            export user="{{ .Data.username }}"
            export pass="{{ .Data.password }}"
          {{- end }}
      labels:
        app: orgchart
    spec:
      serviceAccountName: devwebapp123
      containers:
        - name: orgchart
          image: jweissig/app:0.0.1
          args: ["sh", "-c", "source /vault/secrets/config"]

but when i execut pod env there is no secrets in env

 kubectl exec -it orgchart-659b57dc47-2dwdf -c orgchart -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
HOSTNAME=orgchart-659b57dc47-2dwdf
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.233.0.1:443
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.233.0.1
KUBERNETES_SERVICE_HOST=10.233.0.1
HOME=/root

files in pod on path /vault/secrets/config are existing. After that i got 2 questions. Why its not working and is there any why how can i inject it in kubernetes secrets

Амангельды Омаров
  • 66
  • 6
  • Have you already tried this step-by-step tutorial: [Integrate a Kubernetes Cluster with an External Vault](https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault) ? At the end of this tutorial, you can find how to [inject secrets into the pod](https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault#inject-secrets-into-the-pod) – matt_j Aug 12 '21 at 09:01
  • 1
    @Амангельды Омаров Did you find any solution to your question? I have the same scenario as yours – Donal Aug 11 '22 at 04:06

1 Answers1

0

You should use this syntax instead:

args: ["sh", "-c", "source /vault/secrets/config && <entry-point script>"]

to inject the environment variables into the application environment. If I got the right docker image, the entry-point should be /app/web.

It will maybe necessary to overwrite the default one:

image:
  name: jweissig/app:0.0.1
  entrypoint: [""]
Davide Madrisan
  • 1,969
  • 2
  • 14
  • 22