I have created a secret in my Kubernetes cluster to be able to be picked up from my Helm deployment but when I check my vault pod I see the following instead of the actual value of my secret.
- name: "EXTRASECRETENVIRONMENTVARS"
value: "[map[envName:VAULT_TOKEN secretKey:VAULT_TOKEN secretName:vault-secret]]"
My values.yaml have the following config:
extraSecretEnvironmentVars:
- envName: VAULT_TOKEN
secretName: vault-secret
secretKey: VAULT_TOKEN
This was working fine in another environment but for some reason, it is not picking up the secret value and instead mapping it. For context, I used this secret as an ENV in my vault stateful set in order to be able to run the raft snapshot command in an automated fashion.
glisav
November 30, 2023, 7:10pm
2
Can you share more information regarding this?
extraSecretEnvironmentVars:
You will also need to have the seal stanza, even though with empty values:
seal "<awskms>/<azurekeyvault>" {
client_id = ""
client_secret = ""
tenant_id = ""
vault_name = ""
key_name = ""
}
Maybe you can do this and check again.
This same configuration works perfectly in another environment as well. I deployed Vault with the official hashicorp vault and vault-k8s images using Helm. Before I ran helm install, I created a secret in my cluster in the same namespace as vault is running in.
My secret:
~ kubectl get secret vault-secret -n vault -o yaml
apiVersion: v1
data:
VAULT_TOKEN: ***
kind: Secret
metadata:
creationTimestamp: "2023-11-26T19:27:08Z"
name: vault-secret
namespace: vault
resourceVersion: "44572042"
uid: ***
type: Opaque
The token itself is wrapped but that is the case in my other env as well.
My helm config:
extraSecretEnvironmentVars:
- envName: VAULT_TOKEN
secretName: vault-secret
secretKey: VAULT_TOKEN
My env output from the pod itself:
/ $ env | grep TOKEN
EXTRASECRETENVIRONMENTVARS=[map[envName:VAULT_TOKEN secretKey:VAULT_TOKEN secretName:vault-secret]]
Note that the ENV name itself is showing up as EXTRASECRETENVIRONMENTVARS and not VAULT_TOKEN
I use auto unseal with azure keyvault, which is working just fine but here is the config:
seal "azurekeyvault" {
tenant_id = ""
client_id = ""
client_secret = ""
vault_name = ""
key_name = ""
}
Note that I am using the free tier of vault.
To automate snapshots I run the following script within my pod. Throwing this in here just in case:
# Authenticate into Vault
export VAULT_ADDR=$VAULT_API_ADDR
export VAULT_TOKEN=$VAULT_TOKEN
# Navigate to snapshot Directory
cd "$snapshot_dir" || exit 1
# Delete old snapshots
rm -f "${snapshot_prefix}*"
# Take snapshot of Raft Leader
while ! vault operator raft snapshot save "$latest_snapshot"; do
echo "Taking snapshot failed. Retrying..."
sleep 1
done
echo "Snapshot taken successfully."
Correction, I create the secret after deploying Vault since the token gets created afterward.
@glisav Anything else you can suggest checking?