Fetching secrets from external vault to Kubernetes cluster |Periodically every 5min

hemanth.marella · August 15, 2021, 6:35am

Hi Team,

Re-posting question here.
I am trying to integrate external vault to Kubernetes using sidecar pattern.

Following below reference link:-

Integrate a Kubernetes Cluster with an External Vault | Vault - HashiCorp Learn

Integrate a Kubernetes cluster with an existing Vault service.

Able to successfully, integrate and fetch secrets from external vault to pod.

When a secret is updated in vault, it is getting reflected in pod only after manual restart of pod.

Question:-

Is there any annotation to enable in pod template, so that injector should check secrets in external vault, let’s say for every 5min and if found changes, then update it in our pod without manual intervention ?
If not annotation, any other alternative which I can achieve automatically fetching secrets for certain period of time using sidecar pattern?

This task is blocker for other teams. Please do let me know, if this scenario is doable or need to stop here.

Thank you in Advance…!!

tomhjp · August 17, 2021, 2:56pm

When using the Vault Agent injector, it should re-render templates that contain static secrets (e.g. from KV v2) every 5 minutes. Is that not happening? From 1.8, you can configure that period as well: Vault Agent Template Config | Vault by HashiCorp. For dynamic secrets, it will renew/re-render dynamically as the TTL gets near expiry.

hemanth.marella · August 17, 2021, 3:17pm

Thank for your response.

I didn’t get chance to look at template config. Will try to work on this and let you know, if anything required.

hemanth.marella · September 22, 2021, 5:32am

Hi tomhjp,

I tried to implement as per the documentation. Below are the annotations used.
Seems, secret is not fetching/renewing from vault after 2 minutes.

   vault.hashicorp.com/agent-init-first: "true"
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-secret-credentials.txt: secret/hello_world/howdy
    vault.hashicorp.com/role: devops
    vault.hashicorp.com/template-static-secret-render-interval: 2m
    vault.hashicorp.com/template-config-exit-on-retry-failure: "true"

Is there any thing needs to be done in configuration, please let me know.

As I said, if I delete the pod then, able to see updated secrets when the pod is created.

Thanks & regards
Hemanth