How to inject vault and consume hashicorp vault secrets?

4/18/2021

I don't understand how to apply hashicorp vault to inject secrets in my app.

The following link shows a couple of examples https://www.vaultproject.io/docs/platform/k8s/injector/examples

I used the environment variables example from the same post. But it seems not all the env variables are injected into the app. For instance, ENVs in one of my layouts don't seem to get applied meta property="og:title" content="#{ENV['NAME']}" - shows no value. But the app is running, /vault/secrets/... has files with contents.

Here's a part of the Deployment config of my app.

When there're multiple secrets/templates, the Deployment is going to look ugly.

There's absolutely no description for configmap example but this is probably what I should be using instead of env.

...
     annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "app-role"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-inject-secret-pg.env: "secret/data/pg"
        vault.hashicorp.com/agent-inject-template-pg.env: |
          {{` {{- with secret "secret/data/pg" -}} `}}
          {{` export POSTGRES_HOST={{ .Data.data.host }} `}}
          {{` export POSTGRES_PORT={{ .Data.data.port }} `}}
          {{` export POSTGRES_USER={{ .Data.data.user }} `}}
          {{` export POSTGRES_PASSWORD={{ .Data.data.password }} `}}
          {{` {{- end }} `}}
        vault.hashicorp.com/agent-inject-secret-meta.env: "secret/data/app/meta"
        vault.hashicorp.com/agent-inject-template-meta.env: |
          {{` {{- with secret "secret/data/app/meta" -}} `}}
          {{` export BASE_URL={{ .Data.data.url }} `}}
          {{` export DESCRIPTION={{ .Data.data.description }} `}}
          {{` export IMAGE={{ .Data.data.image }} `}}
          {{` export NAME={{ .Data.data.name }} `}}
          {{` {{- end }} `}}

    spec:
      serviceAccountName: app  

...
args: ["/bin/bash", "-c", "source /vault/secrets/*.env && bundle exec puma -C config/puma.rb"]
-- kirqe
devops
hashicorp-vault
kubernetes

2 Answers

6/14/2021

I vaguely recall facing a similar problem while consuming secrets from vault using agent injector pattern. Though I didn't dig too deep into why it wasn't working but figured an easy way around. Would configuration like below help you maybe?

    ...
         annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "app-role"
            vault.hashicorp.com/agent-inject-status: "update"
            vault.hashicorp.com/agent-inject-secret-pg.env: "secret/data/pg"
            vault.hashicorp.com/agent-inject-template-pg.env: |
              {{- with secret "secret/data/pg" -}}
                postgres://{{ .Data.data.user }}:{{ .Data.data.password }}@{{ .Data.data.host }}:{{ .Data.data.port }}/wizard?sslmode=disable
              {{- end }}
            ...
    
        spec:
          serviceAccountName: app
...
args:
 - echo set env variable(s);
   export POSTGRES_CONN_STRING=$(cat /vault/secrets/pg.env)
   ...

We use the similar approach for setting mongodb connecting string and a few others. Works just fine for us.

-- rock'n rolla
Source: StackOverflow

4/18/2021

If you want to inject the vault secret into the deployment pod what you can do

There is one great project on Github Vault-CRD in java: https://github.com/DaspawnW/vault-crd

Vault CRD for sharing Vault Secrets with Kubernetes. It injects & sync values from Vault to Kubernetes secret. You can use these secrets as environment variables inside pod.

the flow goes something like : vault to Kubernetes secret > and that secrets get injected into deployment using YAML same as configmap

apart from this there is also another nice method of sidecar pattern.

for that, there is a very nice tutorial: https://github.com/hashicorp/hands-on-with-vault-on-kubernetes

another one : https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar

-- Harsh Manvar
Source: StackOverflow