I am running vault in Kubernetes, via helm charts. I am using a vault injector to inject vault token into my application pod. But it is injecting vault token in a file at /vault/secret/vault. How can I export this via environment variable ??
Hey. Did you find any success with injecting the env variable?
Using Vault Agent Injector within Kubernetes, you cannot use the Process Supervisor mode for injecting secrets directly into environment variables.
However, you can use Vault Agent Injector to render a file that is then used to create environment variables. A template should be created that exports a Vault secret as an environment variable and the application container should source those files during startup.
vault.hashicorp.com/agent-inject-template-config: |
{{- with secret "kv/path/to/secret" -}}
export api_key="{{ .Data.data.api_key }}"
{{- end }}
Then in your Dockerfile or Kubernetes manifest, update the entrypoint/command to source the rendered file before running your main binary/script/app.
command: ['/bin/sh', '-c']
args: ['source /vault/secrets/config && <entrypoint>']
The above approach may or may not work for your use case. Another possibility is to use the Vault Secrets Operator instead of the Vault Agent Injector. The Operator syncs secrets from Vault to Kubernetes native secrets,
Once the secrets have been synced, you are able to leverage native Kubernetes capabilities for secrets, such as using Secrets as environment variables.
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default
spec:
containers:
- name: example
image: alpine:latest
envFrom:
- secretRef:
name: my-secret
In this example, the secrets go directly to environment variables for your application to consume.