how to configure kubernetes container spec for oauth2 proxy using Azure provider and Hashicorp Vault secret injector

9/24/2021

I am tasked with integrating ouath2 proxy into an existing kubernetes deployment in order to secure the application's endpoints. We are using Azure as the IDP and HC Vault sidecar to inject secrets into the pod. The existing app is one container, and the oauth2 will be another container, in same pod. The Vault secrets are meant to be injected as environment variables, using annotations.--The annotations configuration works fine.

I am not sure how to wire the Vault secretes into the oauth2 container, since the oauth2 container already has runtime args it needs.

How can I both source the secrets from the HC Vault and pass my runtime args to the container? It seems like I can do one thing or the other with 'args:' , but not both. Here is how I can do one or the other. How can I do both?

- name: oauth2-proxy
  image: <image>
  # args to source the environment variables from vault secret/sidecar injection
  args: ["/bin/sh", "-c", "source /vault/secrets/app && <entrypoint script>"]

  # args to pass the oauth2 runtime parameters
  args:
  - --provider=azure
  - --email-domain=mydomain.com
  - --http-address=0.0.0.0:4180
  - --azure-tenant=123456789
-- Robert Campbell
containers
hashicorp-vault
kubernetes
oauth-2.0

2 Answers

9/28/2021

Ultimately got this working by using command and args insde the oauth2 container spec, using source + the entrypoint command from the Docker file:

command: ["/bin/sh", "-c"]
args: ["source /vault/path/from/annotations && /bin/oauth2-proxy <ADDITONAL START-UP PARAMERS FOR AUTH>
-- Robert Campbell
Source: StackOverflow

9/24/2021

ideally, you should be using the vault-injector to add or inject the variables into to POD

https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar

simple helm command : helm install vault hashicorp/vault --namespace vault --set "injector.externalVaultAddr=<vault address>"

Get Token and cluster details :

VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')

TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault  --output='go-template={{ .data.token }}' | base64 --decode)

KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)

adding details into the vault of authenticating method

vault write auth/<auth-method-name>/config \
        token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
        kubernetes_host="$KUBE_HOST" \
        kubernetes_ca_cert="$KUBE_CA_CERT"

You should be using the annotation to fetch the variables from vault

annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/auth-path: auth/<auth-method-name>
        vault.hashicorp.com/agent-inject-secret-secrets: "kv/<path-of-secret>" 
        vault.hashicorp.com/role: 'app'
        vault.hashicorp.com/agent-inject-template-secrets: |
          {{- with secret "kv/<path-of-secret>" -}}
          #!/bin/sh
          set -e
          {{- range $key, $value := .Data.data }}
          export {{ $key }}={{ $value }}
          {{- end }}
          
          exec "$@"
          {{- end }}

you can create one shell script into your app, which will check if secret exists or not, if exist shell script will inject data to environment

run.sh

#!/bin/bash
if [ -f '/vault/secrets/secrets' ]; then
  source '/vault/secrets/secrets'
fi
node dist/server.js

Your docker will be running your shell script file so you don't need to pass arg now, yes in this method you have to change existing docker.

Refrence : https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar#pod-with-annotations

-- Harsh Manvar
Source: StackOverflow