Vault injector and environment variable export

mouglou · March 4, 2021, 10:03pm

Hello,

We try to inject a dynamic aws credentials in our pod.

Here the configuration:

   annotations:
     vault.hashicorp.com/agent-inject: "true"
     vault.hashicorp.com/agent-inject-command-awscreds: source /vault/secrets/awscreds
     vault.hashicorp.com/agent-inject-secret-awscreds: aws_ctops/creds/kafkaconnect
     vault.hashicorp.com/agent-inject-template-awscreds: |
             {{ with secret "aws_ctops/creds/kafkaconnect" -}}
             export AWS_ACCESS_KEY_ID={{ .Data.access_key }}
             export AWS_SECRET_ACCESS_KEY={{ .Data.secret_key }}
             {{- end }}
     vault.hashicorp.com/ca-cert: /vault/tls/pathofthecertfile
     vault.hashicorp.com/role: kafkaconnect
     vault.hashicorp.com/tls-secret: nameOfSecret

So the pod is up and running, the file is present, and the content valid.
But the command seems to not be executed. Or maybe not in the good place.

kubectl -n appnamsespace exec -it kafkaconnect-xxxxxx -c kafka-connect-connectors-creator -- env | grep -i aws

The output is empty… If I check an environment variable set in the ENV section of the deployment, I get the output.
The other thing that let us think its doesn’t work, it that our S3 connector is not working.

I try few things like “. /vault/secrets/awscreds”, “/bin/sh -c . /vault/secrets/awscreds” and other things… without any success for now.

Have you any idea why and how we can do export the variable from the vault injector command ?

Thanks for your help !

mouglou · March 5, 2021, 10:51pm

Hello !

So we find the solution !

The problem with Kafka-connect is that it create 2 containers.

The first one: kafka-connect-connector-creator.
This one have a command parameters in the deployment. So its was easy to apply the example from Hashicorp (1)

command:
- /bin/sh
- -c
- . /vault/secrets/awscreds; /etc/init-connectors-config/create-connectors-job.sh

But the second container was the problem: kafka-connect-server
This one need the AWS credentials too at the execution.

But this deplyment doesn’t have any command or args parameters that give what command is run at boot.

So the solution was to use “docker inspect” to find the different command executed by kafka-connect, and find out that this was the command:
/etc/confluent/docker/run

Then, we just add the command parameter to override the startup command by just adding the same source command as before.

And boom. Each kafka-connect containter can now start with the exported AWS credentials. So the app is using dynamic AWS credentials !

Hope it can help.

(1) Vault Agent Sidecar Injector Examples | Vault | HashiCorp Developer

Topic		Replies	Views
Vault-helm and kubernetes environment variables Vault k8s	15	8250	April 19, 2023
Trouble injecting env variables via vault agent Vault	2	372	November 30, 2022
Vault Agent Injector dynamic Environment Variables Vault	0	1274	December 15, 2020
Secrets cannot be assigned as environment variables Vault k8s , vault	8	1850	December 15, 2022
Inject secrets as Environment Variables Vault k8s , vault	2	2999	May 20, 2022

Vault injector and environment variable export

Related topics