Hi all,
I’m able to get secrets injected into a container using the sidecar annotations with approle auto auth method as follows:
podAnnotations:
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-extra-secret: "my-approle-creds"
vault.hashicorp.com/auth-type: "approle"
vault.hashicorp.com/auth-config-role-id-file-path: "/vault/custom/role-id"
vault.hashicorp.com/auth-config-secret-id-file-path: "/vault/custom/secret-id"
vault.hashicorp.com/namespace: "mynamespace"
vault.hashicorp.com/auth-path: "auth/foobar/approle"
vault.hashicorp.com/agent-inject-secret-database-config.txt: "secret/mydbsecret"
vault.hashicorp.com/agent-inject-template-database-config.txt: |
{{- with secret "secret/mydbsecret" -}}
username={{ .Data.username }}
password={{ .Data.password }}
{{- end -}}
When I exec into vault-agent container, I see the following at /home/vault/config.json:
{"auto_auth":{"method":{"type":"approle","mount_path":"auth/foobar/approle","namespace":"mynamespace","config":{"role_id_file_path":"/vault/custom/role-id","secret_id_file_path":"/vault/custom/secret-id","token_path":"/var/run/secrets/kubernetes.io/serviceaccount/token"}},"sink":[{"type":"file","config":{"path":"/home/vault/.vault-token"}}]},"exit_after_auth":false,"pid_file":"/home/vault/.pid","vault":{"address":"https://<my vault url>"},"template":[{"destination":"/vault/secrets/database-config.txt","contents":"{{- with secret \"secret/mydbsecret\" -}}\nusername={{ .Data.username }}\npassword={{ .Data.password }}\n{{- end -}}","left_delimiter":"{{","right_delimiter":"}}"}],"template_config":{"exit_on_retry_failure":true}}
But now I’m trying to get this to work using a configmap instead. The configmap looks as follows:
"vault" {
"address" = "https://<my vault url>"
}
"auto_auth" {
"method" {
"type" = "approle"
"mount_path" = "auth/foobar/approle"
"namespace" = "mynamespace"
"config" = {
"role_id_file_path" = "/vault/custom/role-id"
"secret_id_file_path" = "/vault/custom/secret-id"
"remove_secret_id_file_after_reading" = false
}
}
"sink" = {
"config" = {
"path" = "/home/vault/.vault-token"
}
"type" = "file"
}
}
"template" = {
"destination" = "/vault/secrets/database-config.txt"
"contents" = <<EOT
{{ "{{" }}- with secret "secret/mydbsecret" -{{ "}}" }}
username={{ "{{" }} .Data.username {{ "}}" }}
password={{ "{{" }} .Data.password {{ "}}" }}
{{ "{{" }}- end -{{ "}}" }}
EOT
}
"exit_after_auth" = false
"pid_file" = "/home/vault/.pid"
I’ve kept these annotations since I don’t see from the documentation if there’s a way to specify the “agent-extra-secret” in the configmap.
podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-extra-secret: "my-approle-creds"
vault.hashicorp.com/agent-configmap: "vault-agent-example-chart"
vault.hashicorp.com/log-level: "trace"
I’ve set it for both config.hcl and config-init.hcl. In config-init.hcl, I’ve set exit_after_auth to true.
But I keep getting the following error in the init container:
Error creating approle auth method: empty config data
What am I missing?