I have a Kubernetes cluster with 8 microservices, and all services are deployed using Helm charts. While I specify some parameters in values.yaml, such as database passwords, I don’t want to store sensitive information like passwords in values.yaml. I have injected a test secret into my services’ pods using HashiCorp Vault, and I can access this secret at /vault/secrets/test path. My question is whether I should access these secrets from within my C# code or if I need to specify something in my testapplication.yaml?
Here is how I access my DB_Password:
spec:
containers:
- env:
- name: DB_Password
value: {{ .Values.mssqlLoginPassword }}
I inject secret with this way on testapplication.yaml for test:
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/agent-inject-secret-test: "secret/prod-secret/test"
vault.hashicorp.com/agent-inject-template-test: |
{{`{{- with secret "secret/prod-secret/test" -}}
{
"username" : "{{ .Data.username }}"
}
{{- end }}`}}
vault.hashicorp.com/role: "prod-secret-role"
…
I tried these solutions but didn’t work for me;
- Changing annotation
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/agent-inject-secret-test: "secret/prod-secret/test"
vault.hashicorp.com/agent-inject-template-test: |
{{`{{- with secret "secret/prod-secret/test" -}}
{
export username="{{ .Data.username }}"
}
{{- end }}`}}
vault.hashicorp.com/role: "prod-secret-role"
- Add this so the application container can source those files during startup
containers:
args:
['source /vault/secrets/test && <entrypoint script>']
I am not very familiar with Kubernetes, so I would be very happy if you could explain the solution in detail.