Vault variables not fetched using AppRole auth method

Vault
,
1

I installed vault agent in my K8s cluster and the vault server resides in another cluster. I’m using the AppRole auth method. The authentication works without any error. The secrets are also mounted to my application pod, but it won’t source it and take it as a variable. Below are the details.

annotations:
vault.hashicorp.com/agent-inject: ‘true’
vault.hashicorp.com/agent-vault-addr:https://myvaultaddress.com
vault.hashicorp.com/auth-type: ‘approle’
vault.hashicorp.com/auth-path: ‘auth/approle’
vault.hashicorp.com/auth-config-role-id-file-path: ‘/vault/custom/role-id’
vault.hashicorp.com/auth-config-secret-id-file-path: ‘/vault/custom/secret-id’
vault.hashicorp.com/agent-extra-secret: ‘my-approle’
vault.hashicorp.com/role: ‘myrole’
vault.hashicorp.com/auth-config-remove_secret_id_file_after_reading: ‘false’
#vault.hashicorp.com/log-level: ‘debug’
#vault.hashicorp.com/agent-pre-populate: ‘true’
vault.hashicorp.com/agent-inject-secret-config.env: ‘kv/mysecrets/secrets’
vault.hashicorp.com/agent-inject-template-config.env: |
{{ with secret “kv/mysecrets/secrets/” -}}
export testvar={{ .Data.data.MYSECRET }}
{{- end }}’

If I login to the application pod and cat /vault/secrets/config.env it shows below

export testvar=shows-correct-secret

I’m also doing

args: [ ‘sh’, ‘-c’, ‘source /vault/secrets/config.env’ ]

But when I do env, it doesnt show the testvar variable

2

I’m just starting with kubernetes but I think your start line should be:

args: [ ‘sh’, ‘-c’, ‘source /vault/secrets/config.env’  && 'entrypoint.sh']

as an example where entrypoint.sh is your app. Starting a new shell is not going to source the dotfile containing your secrets.

3

Please share the command you are configuring in your Kubernetes yaml too, or the ENTRYPOINT of the Docker image being run. It is not possible to fully understand how args will be used without that.

Additionally, even if you successfully set environment variables this way to be present for your main process, I don’t think they will apply to kubectl exec sessions

4

This is my entrypoint. I’m only using ‘args’ and not using ‘command’

args: [ ‘sh’, ‘-c’, ‘source /vault/secrets/config.env && java -jar app.jar’ ]

6

I read the post you deleted, before you deleted it. In it, you said your Dockerfile was configured with ENTRYPOINT of java -jar app.jar.

When you combine that ENTRYPOINT with the args you’ve specified, you’re actually running the command:

java -jar app.jar sh -c 'source /vault/secrets/config.env && java -jar app.jar'

i.e. you’re not actually sourcing your environment variables at all, rather you’re passing the sh -c '...' command as program arguments to your Java application (which probably ignores it).

You should be using command instead of args in your K8s YAML, so that the K8s configuration takes full control of the command to be run, in this case.