Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

put secret generated from annotations template to existing path / like consul destination directive #159

Open
ch0mik opened this issue Jul 23, 2020 · 8 comments
Open

put secret generated from annotations template to existing path / like consul destination directive #159

ch0mik opened this issue Jul 23, 2020 · 8 comments
Labels
enhancement New feature or request

Comments

@ch0mik
Copy link

ch0mik commented Jul 23, 2020
edited
Loading

ex :

  annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-run-as-same-user: "true"
        vault.hashicorp.com/secret-volume-path: "/app/"  
        vault.hashicorp.com/agent-inject-secret-globalsettings.json: "kv/global"
        vault.hashicorp.com/agent-inject-template-globalsettings.json: |
          {{- with secret "kv/global" -}}
          {
            "Redis": {
                    "Host": "redis.local",
                    "Port": 8803,
                    "Name": "1",
                    "DatabaseNo": 2,
                    "Password": "{{ .Data.data.redis_password }}",
                    "SlidingExpirationInMinutes": 60
            }
          }
          {{- end }}
        vault.hashicorp.com/role: "myapp"

    vault.hashicorp.com/secret-volume-path: "/app/"   - app .net core, not working when its == "/app/"
   rights to the generated file (in another directory ex. /vault/secrets/) are ok

Is it possible to map this generated file from secrets to filepath like consul templates ?

destination = "/app/globalsettings.json"

ex.
vault.hashicorp.com/agent-inject-destination-globalsettings2.json: "/app/globalsettings.json"

Regards
Pawel
@ch0mik ch0mik added the enhancement New feature or request label Jul 23, 2020
@ch0mik ch0mik changed the title put secret generate from annotation template to existing path / like consul destination directive put secret generated from annotations template to existing path / like consul destination directive Jul 23, 2020
@ch0mik
Copy link
Author

ch0mik commented Jul 23, 2020
edited
Loading

when change this (another path)
vault.hashicorp.com/secret-volume-path: "/vault/secrets/"

the copy command
vault.hashicorp.com/agent-inject-command-globalsettings2.json: "/bin/sh -c 'cp /vault/secrets/globalsettings2.json /tmp/'"

also not working
PS. #56

@tvoran
Copy link
Member

tvoran commented Jul 24, 2020
edited
Loading

The inject-command is copying the settings file to /tmp/ on the vault-agent containers, not the app container, so I think that's why it's not working.

If you can't specify an alternate location for the settings file, perhaps you can run the cp command in the app container, or create a symlink from /vault/secrets/globalsettings2.json to /app/globalsettings2.json in the app container.

@ch0mik
Copy link
Author

ch0mik commented Jul 24, 2020
edited
Loading

The inject-command is copying the settings file to /tmp/ on the vault-agent containers, not the app container, so I think that's why it's not working.

for tests i choose the /tmp/ folder - after run the container, the command not runs. If I myself run the command its put to the /tmp/ or /app/ works.
cp /vault/secrets/globalsettings2.json /app

@ch0mik
Copy link
Author

ch0mik commented Jul 24, 2020
edited
Loading

workaround for .net core app is seeking the another path to gets the .json files

            return new ConfigurationBuilder()
                .SetBasePath(path)
                .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
                .AddJsonFile("globalsettings.json", true, true)
		.AddJsonFile("/secrets/appsettings.json", optional: true, reloadOnChange: true)
		.AddJsonFile("/secrets/globalsettings.json", true, true)
                .AddEnvironmentVariables()
                .Build();

@stewartshea
Copy link

stewartshea commented Jul 31, 2020
edited
Loading

I too could use a feature like this, or even the ability to create subdirectories under the /vault/secrets shared path. Grafana has a need to access configuration files under a couple of different directories, which would possibly work with something like this layout;

  • /vault/secrets/provisioning/datastources/<keys>
  • /vault/secrets/provisioning/dashboards/<keys>

Currently it won't work by mixing the contents of those secrets in a single folder like vault/secrets/

@stewartshea
Copy link

stewartshea commented Jul 31, 2020
edited
Loading

As a workaround, I was able to use the command feature like this:

        vault.hashicorp.com/agent-inject-command-datasource.yaml: /bin/sh -c 'mkdir
          -p /vault/secrets/provisioning/datasources && ln -s /vault/secrets/datasource.yaml
          /vault/secrets/provisioning/datasources/datasource.yaml'

It's not elegant but it should work for now.

@tvoran
Copy link
Member

tvoran commented Aug 1, 2020
edited
Loading

@stewartshea You may be able to make use of the secret-volume-path annotation: https://www.vaultproject.io/docs/platform/k8s/injector/annotations#vault-hashicorp-com-secret-volume-path

Otherwise the upcoming release of vault-k8s will add an agent-inject-file annotation which will allow for arbitrary directory structures in the secrets volume: #158

@stewartshea
Copy link

In my case I still needed to create arbitrary directory structures to support the way grafana is configured, but it looks like #158 may solve this for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvoran @ch0mik @stewartshea