Hope you are doing well. I am trying to install Vault using Helm and installs fine. However, it seems that when the pod is deployed, jq tool is not present.
kubectl get pods
NAME READY STATUS RESTARTS AGE
vault-1641843739-0 1/1 Running 0 62m
vault-1641843739-agent-injector-54f9db6dc7-scpmz 1/1 Running 0 62m
and when we login into the pod using
kubectl exec --stdin=true --tty=true vault-1641843739-0 -- /bin/sh
/ $ jq
/bin/sh: jq: not found
/ $ apk update jq
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied
jq tool is not installed by default and it is required to run commands as presented in many of your Hashicorp tutorials. Definetily there is a work around for this by passing service-name and accessing the VAULT API remotely (requires extra steps). It might be a good idea to include jq by default?
uname -a
Linux vault-1641843739-0 4.19.0-18-cloud-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 Linux
There are many other nice tools, which are NOT installed in the image (curl, for example). And this is the whole point - to have only one app and have the container as slim as possible. You could try to run another (debug) pod and query from it. I use this image, it has tons of useful tools: Network-MultiTool
Hi @vk12122 this response is long after your query but I thought I’d add what I found in the event it’s useful to you and/or others.
We operate Vault in Kubernetes (EKS) and install via Helm. Thus we are pulling the image through a Helm chart and have no control over its Dockerfile (image). As you noted, jq is not included in the image and when running commands from inside the container, we see we are the user vault and have no ability to sudo and cannot use apk add jq.
As @muzzy noted, the idea is to keep the image slim (hence Alpine), which certainly makes sense. But for anyone who may simply be doing some testing in a preprod environment and wishes to follow some of the excellent Vault tutorials provided by Hashicorp, e.g.:
where the recommended prerequisites include using the jq tool to parse JSON output. It is nice to have, even just for the current iteration of the container you are exec’d into. So one option is to install it from inside the container using wget, which is included in the image. One extra note here is that when you first exec into the running Vault container, looking at the directory structure (ls -l) shows that all directories except one are owned by root. So the wget of jq will fail to write the file being downloaded to your current directory.
The exception is the directory: vault, owned by the user: vault. So this should work.
cd vault
wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.7.1/jq-linux64
chmod +x jq
Then just ./jq -h to check that all is well.
You’ll have to leave it there, where it’s been written (i.e. you can’t add it to your path as you normally would). Now you can cd.. back to where you were, and when running a tutorial command that references jq, for example:
vault read pki/issuer/$(vault list -format=json pki/issuers/ | vault/jq -r '.[]')
you can just reference jq from its accessible location.