How to access a secret injected into a Kubernetes pod?

I have a Kubernetes cluster with 8 microservices, and all services are deployed using Helm charts. While I specify some parameters in values.yaml, such as database passwords, I don’t want to store sensitive information like passwords in values.yaml. I have injected a test secret into my services’ pods using HashiCorp Vault, and I can access this secret at /vault/secrets/test path. My question is whether I should access these secrets from within my C# code or if I need to specify something in my testapplication.yaml?

Here is how I access my DB_Password:

 spec:
      containers:
        - env:
            - name: DB_Password
              value: {{ .Values.mssqlLoginPassword }}

I inject secret with this way on testapplication.yaml for test:

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/tls-skip-verify: "true"
        vault.hashicorp.com/agent-inject-secret-test: "secret/prod-secret/test"
        vault.hashicorp.com/agent-inject-template-test: |
          {{`{{- with secret "secret/prod-secret/test" -}}
          {
            "username" : "{{ .Data.username }}"
          }
          {{- end }}`}}
        vault.hashicorp.com/role: "prod-secret-role"

I tried these solutions but didn’t work for me;

  1. Changing annotation
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/tls-skip-verify: "true"
        vault.hashicorp.com/agent-inject-secret-test: "secret/prod-secret/test"
        vault.hashicorp.com/agent-inject-template-test: |
          {{`{{- with secret "secret/prod-secret/test" -}}
          {
            export username="{{ .Data.username }}"
          }
          {{- end }}`}}
        vault.hashicorp.com/role: "prod-secret-role"
  1. Add this so the application container can source those files during startup
      containers:
          args:
            ['source /vault/secrets/test && <entrypoint script>']

I am not very familiar with Kubernetes, so I would be very happy if you could explain the solution in detail.

You can access these secrets inside your POD via testapplication.yaml file.

template:
metadata:
annotations:
# Environment variable export template
vault.hashicorp.com/agent-inject: ‘true’
vault.hashicorp.com/role: ‘prod-secret-role’
vault.hashicorp.com/agent-update: ‘true’
vault.hashicorp.com/tls-skip-verify: “true”
vault.hashicorp.com/log-level: “debug”
vault.hashicorp.com/agent-inject-secret-test: ‘secret/prod-secret/test’
vault.hashicorp.com/agent-inject-template-test: |
{{- with secret “secret/prod-secret/test” -}}
{{- range $key, $value := .Data }}
export {{ $key }}=“{{ $value }}”
{{- end }}
{{- end }}
spec:
serviceAccountName: $service_account
containers:
command: [“/bin/sh”, “-c”]
args: [“. /vault/secrets/test && <‘entrypoint script’>”]

@mohsinchandia

Have you figured out any way to automate rollout restart deploy the pod(s) after secrets have been updated in Vault?
I am trying to make it work with stakater Reloader but it only supports configMap & Secrets. Unfortunately, the vault-agent-injector uses temporary mount points to inject the secrets into the pod(s).

Best,

Unfortunately not. We are rolling out the deployment once secrets have been updated in vault server. I would like to know the solution of this if exists any. Thanks

BR,

@mohsinchandia
I have figured out how to inject and update the secrets into pod in real time.
Have a look at into my post.

BR

1 Like

@rdgacarvalho
Please share the link of the post. Thanks

1 Like