I am tasked with integrating ouath2 proxy into an existing kubernetes deployment in order to secure the application's endpoints. We are using Azure as the IDP and HC Vault sidecar to inject secrets into the pod. The existing app is one container, and the oauth2 will be another container, in same pod. The Vault secrets are meant to be injected as environment variables, using annotations.--The annotations configuration works fine.
I am not sure how to wire the Vault secretes into the oauth2 container, since the oauth2 container already has runtime args it needs.
How can I both source the secrets from the HC Vault and pass my runtime args to the container? It seems like I can do one thing or the other with 'args:' , but not both. Here is how I can do one or the other. How can I do both?
- name: oauth2-proxy
image: <image>
# args to source the environment variables from vault secret/sidecar injection
args: ["/bin/sh", "-c", "source /vault/secrets/app && <entrypoint script>"]
# args to pass the oauth2 runtime parameters
args:
- --provider=azure
- --email-domain=mydomain.com
- --http-address=0.0.0.0:4180
- --azure-tenant=123456789
Ultimately got this working by using command
and args
insde the oauth2 container spec, using source
+ the entrypoint command from the Docker file:
command: ["/bin/sh", "-c"]
args: ["source /vault/path/from/annotations && /bin/oauth2-proxy <ADDITONAL START-UP PARAMERS FOR AUTH>
ideally, you should be using the vault-injector to add or inject the variables into to POD
https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar
simple helm command : helm install vault hashicorp/vault --namespace vault --set "injector.externalVaultAddr=<vault address>"
Get Token and cluster details :
VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)
KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')
KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
adding details into the vault of authenticating method
vault write auth/<auth-method-name>/config \
token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
kubernetes_host="$KUBE_HOST" \
kubernetes_ca_cert="$KUBE_CA_CERT"
You should be using the annotation to fetch the variables from vault
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/auth-path: auth/<auth-method-name>
vault.hashicorp.com/agent-inject-secret-secrets: "kv/<path-of-secret>"
vault.hashicorp.com/role: 'app'
vault.hashicorp.com/agent-inject-template-secrets: |
{{- with secret "kv/<path-of-secret>" -}}
#!/bin/sh
set -e
{{- range $key, $value := .Data.data }}
export {{ $key }}={{ $value }}
{{- end }}
exec "$@"
{{- end }}
you can create one shell script into your app, which will check if secret exists or not, if exist shell script will inject data to environment
run.sh
#!/bin/bash
if [ -f '/vault/secrets/secrets' ]; then
source '/vault/secrets/secrets'
fi
node dist/server.js
Your docker will be running your shell script file so you don't need to pass arg now, yes in this method you have to change existing docker.
Refrence : https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar#pod-with-annotations