Fetching secrets from external vault to Kubernetes cluster |Periodically every 5min

hemanth.marella · August 15, 2021, 6:35am

Hi Team,

Re-posting question here.
I am trying to integrate external vault to Kubernetes using sidecar pattern.

Following below reference link:-

Integrate a Kubernetes Cluster with an External Vault | Vault - HashiCorp Learn

Integrate a Kubernetes cluster with an existing Vault service.

Able to successfully, integrate and fetch secrets from external vault to pod.

When a secret is updated in vault, it is getting reflected in pod only after manual restart of pod.

Question:-

Is there any annotation to enable in pod template, so that injector should check secrets in external vault, let’s say for every 5min and if found changes, then update it in our pod without manual intervention ?
If not annotation, any other alternative which I can achieve automatically fetching secrets for certain period of time using sidecar pattern?

This task is blocker for other teams. Please do let me know, if this scenario is doable or need to stop here.

Thank you in Advance…!!

tomhjp · August 17, 2021, 2:56pm

When using the Vault Agent injector, it should re-render templates that contain static secrets (e.g. from KV v2) every 5 minutes. Is that not happening? From 1.8, you can configure that period as well: Vault Agent Template Config | Vault by HashiCorp. For dynamic secrets, it will renew/re-render dynamically as the TTL gets near expiry.

hemanth.marella · August 17, 2021, 3:17pm

Thank for your response.

I didn’t get chance to look at template config. Will try to work on this and let you know, if anything required.

hemanth.marella · September 22, 2021, 5:32am

Hi tomhjp,

I tried to implement as per the documentation. Below are the annotations used.
Seems, secret is not fetching/renewing from vault after 2 minutes.

   vault.hashicorp.com/agent-init-first: "true"
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-credentials.txt: secret/hello_world/howdy
    vault.hashicorp.com/role: devops
    vault.hashicorp.com/template-static-secret-render-interval: 2m
    vault.hashicorp.com/template-config-exit-on-retry-failure: "true"

Is there any thing needs to be done in configuration, please let me know.

As I said, if I delete the pod then, able to see updated secrets when the pod is created.

Thanks & regards
Hemanth

Topic		Replies	Views
Annotation to fetch secrets from external vault to Kubernetes cluster \| every 5min Vault k8s	0	378	July 20, 2021
Vault agent injector dynamic secrets Vault	3	1044	April 17, 2020
About the method of pulling secret to the application on kubernetes Vault	1	287	March 23, 2022
Kubernetes Vault and Secrets Vault	7	752	February 24, 2020
Vault.hashicorp.com/template-static-secret-render-interval doesn't work Kubernetes	2	471	April 10, 2023

Fetching secrets from external vault to Kubernetes cluster |Periodically every 5min

Integrate a Kubernetes Cluster with an External Vault | Vault - HashiCorp Learn

Able to successfully, integrate and fetch secrets from external vault to pod.

Is there any thing needs to be done in configuration, please let me know.

Related topics