We’re running Vault on Kubernetes and are using the MySQL database engine to generate dynamic credentials for our applications. These credentials are injected into our pods via the Vault side car.
However this presents two issues.
- A lot of copy pasting for the injection template with minor edits.
Our applications expect the same format of config resulting in the following code snippet in each of the deployment definitions. the only difference between each deployment is the app name e.g. instead of app1 it says app2
vault.hashicorp.com/agent-inject-template-db-creds: |-
{
{{- with secret "database/creds/app1" -}}
"DatabaseConfig": {
"Username": "{{ .Data.username }}@our-database-host",
"Password": "{{ .Data.password }}"
}
{{- end }}
}
- Automatically add the host to the username.
In the snippet above you can see we manually have to add the @our-database-host part to the username. We have tried changing the username template but that doesn’t work.
Is there a way to define a standard injection template for secrets and is there a way to add the host to the username automatically?