how to inject secrets into Kubernetes pods via Vault Agent containers using env variables
Hello everyone, I need your help. I'm trying to perform secret injection via Vault into a Kubernetes cluster, but I'm struggling to set what I retrieve from Vault as a global variable. Here's my deployment:
`apiVersion: apps/v1
kind: Deployment
metadata:
name: app-pyth
labels:
app: app-pyth
spec:
replicas: 2
selector:
matchLabels:
app: app-pyth
template:
metadata:
labels:
app: app-pyth
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'internal-app'
vault.hashicorp.com/agent-inject-secrets: 'internal/data/database/config'
vault.hashicorp.com/agent-inject-template-secrets: |
{{- with secret "internal/data/database/config" -}}
export USERNAME={{ .Data.data.username }}
export PASSWORD={{ .Data.data.password }}
export ROOT_PASSWORD={{ .Data.data.rootpassword }}
export DATABASE={{ .Data.data.database }}
export HOST={{ .Data.data.host }}
{{- end -}}
spec:
serviceAccountName: internal-app
containers:
\- name: myapp
image: adouadi/python:latest
ports:
\- containerPort: 80
command: \['/bin/bash', '-c', \]
args: \['source /vault/secrets/secrets'\]. `
I don't have an entrypoint script like this: ['source /vault/secrets/config && <entrypoint script>'] because my script is executed within my Docker image. When I go into the pod at the path /vault/secrets/secrets, I can see the variables properly retrieved from Vault.please help me
Resolved !!! You need to set the entrypoint for your script because the 'command' option in the Kubernetes config overrides the entrypoint, despite the Docker image, so you should do like this :
command:
['/bin/bash', '-c']
args:
['source /vault/secrets/secrets && uvicorn main:app --host=0.0.0.0 --port=80']