Open mattgialelis opened 3 years ago
His @mattgialelis, Vault Agent uses consul-template under the hood so I would suggest filing an issue there. Likely a dependency was updated and is causing issues now.
Just hit that. Trying to restart thanos
vault.hashicorp.com/agent-inject-command-thanos-store: "ps aux | grep -v grep | grep thanos && killall -9 thanos"
but only ps is being called :/
2021-11-11T12:29:15.644Z [INFO] (runner) executing command "ps aux | grep -v grep | grep thanos && killall -9 thanos" from "(dynamic)" => "/vault/secrets/thanos-store"
2021-11-11T12:29:15.644Z [INFO] (child) spawning: ps aux
That forces me to use extra wrapper scripts and mount them into containers within pod :(
Description As of vault 1.7.0 there is an issue with the agent-inject-command not fully reading in bash commands after any operators. e.g
;
,&&
,||
, '>'Multiple different methods to escape the operators was tried none seemed to make any difference the command on its own is:
Which is used to restart the deployment on a secret change.
This causes the commands either to not run at all or just error out like the logs provided below, ive tested with vault 1.5.4 and 1.6.3 which both work well and breaks on 1.7.0
Vault 1.7.0 (Broken)
Vault 1.6.3 (working)
To Reproduce Steps to reproduce the behavior:
kubectl logs POD-NAME vault-agent-init
Application deployment:
kubectl logs POD-NAME vault-agent-init ( this is where all logs provided are from )
Expected behavior Command to be fully executed as it was in previous version of vaults-agent
Environment
Additional context We are using an external vault server and the agent injector only from the Vault Helm Chart
Currently the only workaround is to make our own vault docker image with a bash script which we can call as a single line command store in /usr/local/bin/reload-pods
reload-pods deployment-name
Which does work as it does not require any extra operators in the annotations provided to vault
Have also just tested using the configmap method with the same results