Injecting multiple secret paths into pod

E-N-G-XOR · November 30, 2020, 1:42pm

HI all,

I am looking for a way to inject multiple paths into a pod using templating as described here (https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar)

I have the first path working just fine, but I have multiple paths I need to inject. and some with 700 entries…

template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: “true”
vault.hashicorp.com/agent-inject-secret-id: “app/path1”
vault.hashicorp.com/role: “app”
vault.hashicorp.com/agent-inject-template-id: |
{{ with secret “app/path1” -}}
export ID="{{ .Data.id }}"
{{- end }}
labels:
app: web1

Is it safe to just repeat the template pattern?

vault.hashicorp.com/agent-inject: “true”
vault.hashicorp.com/agent-inject-secret-id: “app/path1”
vault.hashicorp.com/agent-inject-secret-id: “app/path2”
vault.hashicorp.com/role: “app1_role”
vault.hashicorp.com/agent-inject-template-id: |
{{ with secret “app/path1” -}}
export ID="{{ .Data.id }}"
{{- end }}
vault.hashicorp.com/agent-inject-template-id: |
{{ with secret “app/path2” -}}
export root="{{ .Data.root }}"
export key1="{{ .Data.key1 }}"
export key2="{{ .Data.key2 }}"
export key3="{{ .Data.key3 }}"
{{- end }}
labels:
app: web1

also, is there a limit to the amount of secrets we can import, because I have about 700 to map?

Ta,

x

E-N-G-XOR · December 3, 2020, 5:21pm

Right, so I got a working template, and it seems to work just fine…

`annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/secret-volume-path: "/app_injector"
    vault.hashicorp.com/role: "app_role"
    vault.hashicorp.com/agent-inject-secret-keys: "app1_keys"
    vault.hashicorp.com/agent-inject-template-keys: |
      {{ with secret "app1_keys" }}
      {{ range $k, $v := .Data.data }}export {{ $k }}="{{ $v }}"
      {{ end }}
      {{ end }}
    vault.hashicorp.com/agent-inject-secret-keys2: "app2_keys"
    vault.hashicorp.com/agent-inject-template-keys2: |
      {{ with secret "app2_keys" }}
      {{ range $k, $v := .Data.data }}export {{ $k }}="{{ $v }}"
      {{ end }}
      {{ end }}
    vault.hashicorp.com/agent-inject-secret-keys3: "app3_keys"
    vault.hashicorp.com/agent-inject-template-keys3: |
      {{ with secret "app3_keys" }}
      {{ range $k, $v := .Data.data }}export {{ $k }}"{{ $v }}"
      {{ end }}
      {{ end }}
    vault.hashicorp.com/agent-inject-secret-keys4: "app4_keys"
    vault.hashicorp.com/agent-inject-template-keys4: |
      {{ with secret "app4_keys" }}
      {{ range $k, $v := .Data.data }}export {{ $k }}="{{ $v }}"
      {{ end }}
      {{ end }}
    vault.hashicorp.com/agent-inject-secret-keys5: "app5_keys"
    vault.hashicorp.com/agent-inject-template-keys5: |
      {{ with secret "app5_keys" }}
      {{ range $k, $v := .Data.data }}export {{ $k }}="{{ $v }}"
      {{ end }}
      {{ end }} 
    vault.hashicorp.com/agent-inject-secret-keys6: "app6_keys"
    vault.hashicorp.com/agent-inject-template-keys6: |
      {{ with secret "app6_keys" }}
      {{ range $k, $v := .Data.data }}export {{ $k }}="{{ $v }}"
      {{ end }}
      {{ end }} `

me1 · January 27, 2022, 8:00pm

This has been quite a long time ago, but have you by a chance tried using multiple roles and not just multiple secrets?

Thank you!

user_22 · July 8, 2024, 5:10pm

Hello,
can you please let me know if you found a way to use multiple roles within a pod using annotations ?

me1 · July 9, 2024, 10:41am

A good alternative that I’ve found and we’ve utilized is the External Secrets Operator - Introduction - External Secrets Operator. Check it out

user_22 · July 12, 2024, 7:39pm

Thank you so much for your answer,
I was wondering if we can consume secrets (which are sourced as environment variables) from one container (for reference - from deployment config) to another container with the same name, image and namespace (this second container is a cron job which is consuming secrets from another safe). Is this possible ? these secrets are fetched from the vault using the annotations and as mentioned before both of these secrets belong to different safes and have different roles.

me1 · July 16, 2024, 10:44am

Uhh, I don’t think you are solving the same problem as others are.

The workflow with Vault and External Secrets Operator will always be:

Store secrets in Vault (either manually or automatically, from CI or elsewhere)
Create permission scoping for service account/namespace in Vault based on the Kubernetes Auth method
Retrieve secrets either using the agent injector (which, for one pod, doesn’t allow to use multiple roles) or use External Secrets Operator to sync the Vault secrets you need to the namespace you need. Then, you can use Kubernetes primitives like secretRef and the like to inject the secret into your app.

Hope this helps!

user_22 · July 16, 2024, 1:56pm

it makes sense now, I was indeed trying to do it in a different way.
Thank you so much!

me1 · July 16, 2024, 4:36pm

I was glad to help

Topic		Replies	Views
Recommended way to inject secrets into pod from multiple path with annotations? Vault	3	2355	March 8, 2022
Vault-k8s: How to inject multiples secrets into one file Vault k8s	1	1225	September 5, 2023
Vault K8s Injector multiple roles Vault k8s , vault	5	1258	June 16, 2023
Kubernetes Injector - multiple roles Vault	1	826	February 3, 2022
Agent Sidecar Injector - Why is agent-inject-secret required if agent-inject-template is specified? Vault	3	1376	March 18, 2022

Injecting multiple secret paths into pod

Related topics