Vault & k8s cronjobs

Hello, I am currently using Vault inside my kubernetes clusters. (installed with the Helm chart).
I am trying to use the Vault Injector on cronjobs and it looks like it is causing issues :
When my container is terminated, the vault agent injector is still running. So, for Kubernetes, the pod is still active and following cronjobs run are stopped.

Here is the cronjob configuration :

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: reset-staging-cronjob
spec:
  schedule: "0 3 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  backoffLimit: 1
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            vault.hashicorp.com/auth-path: "auth/kubernetes/staging"
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "vault-role"
            vault.hashicorp.com/agent-inject-secret-.env: "applications/staging"
            vault.hashicorp.com/agent-inject-template-.env: |
              {{ with secret "/applications/staging" }}
                  {{ range $k, $v := .Data.data }}
                      {{ $k }}={{ $v }}
                  {{ end }}
              {{ end }}
        spec:
          containers:
          - name: reset-staging-cronjob
            image: _IMAGE_NAME_
            command: ["sh", "web/cli/resetStagingDatabase.sh"]
          restartPolicy: OnFailure
          imagePullSecrets:
          - name: docker-hub-config
          serviceAccountName: vault
          automountServiceAccountToken: true

kubectl output (shortened) :

Containers:
  clear-namespaces-cronjob:
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Tue, 12 May 2020 14:36:18 +0200
      Finished:     Tue, 12 May 2020 14:36:31 +0200
    Ready:          False
    Restart Count:  0
  vault-agent:
    Image:         vault:1.4.0
    State:          Running
      Started:      Tue, 12 May 2020 14:36:18 +0200
    Ready:          True

If someone has any idea how I can configure Vault to stop when the attached container is terminated, that would be helpful :slight_smile:

I managed to make it work by disabling the sidecar container (that I don’t need at all) with this annotation :

vault.hashicorp.com/agent-pre-populate-only : "true"

4 Likes

Trying to do the same thing here, and using vault to load env variables to my container. However with this setting, the env variables don’t seem to stick. Any ideas?