1

Trying to export vault secrets as an environment variable to k8s pod using vault injector. Following vault documentation https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example

as mention in example, you need to source config file inside a container and it will override ENTRYPOINT script/command that you are passing in dockerfile.

      containers:
        - name: web
          image: alpine:latest
          command:
            ['sh', '-c']
          args:
            ['source /vault/secrets/config && <entrypoint script>']

in my setup, I don't have a static entry point script that I can put here in args. docker file has its own command/script running as entrypoint script.

Trying to find if there is any alternative to source this vault config inside a container that allow me to not change anything in entrypoint script in dockerfile. not sure if k8s is providing any way to do this with post-hook or something. that runs entrypoint mentioned in dockerfile first and then execute other scripts/command passed in post-hook.

Meet101
  • 711
  • 4
  • 18
  • 35
  • What the example is demonstrating is how to populate a text file's content in the container filesystem with an environment `export` with a chosen key, and a value populated by Vault Agent secrets retrieval. The `source` in the `args` is so that the container execution process will `export` the environment variable with the secret value. You probably cannot achieve what you want here with the Vault Agent Injector. – Matthew Schuchard Apr 06 '23 at 19:31
  • A container only runs one process, and trying to dynamically wrap it at runtime can be tricky. If you control the image and you already have an entrypoint wrapper script, can you add the secret setup there; `if [ -f /vault/secrets/config ]; then . /vault/secrets/config; fi`? – David Maze Apr 07 '23 at 11:23

1 Answers1

2

You can use the Vault Secrets Operator to synchronize secrets from Vault to Kubernetes Secret resources.

Once you've done that, you can then expose those secrets as environment variables using envFrom or vaultFrom directives in your deployment manifests, as described in the documentation.

This method does not require overriding the entrypoint or arguments of your containers.

It looks like Vault Secrets Operator is relatively new and the documentation seems a bit slim. You can achieve similar functionality using the External Secrets Operator, which has the added advantage that it supports a variety of secret store backends.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • That operator launched in beta one week ago and is still undergoing public testing, but in several months this will almost certainly be the best answer. – Matthew Schuchard Apr 06 '23 at 19:32