Add support for adding templates from a ConfigMap and mounting them as SubPaths

[tsurankov]

It would be great if vault-injector could mount rendered templates individually to the particular path inside an application container similar to SubPath for ConfigMap volumes. For example, if an application requires two different large templates to be rendered and placed at different paths:

• application.properties
• server.xml

Supposing templates could be placed inside a config map along with vault agent config, vault-agent would render and place them on a shared volume like it does now. But then rendered configuration files could be mounted to the particular location inside the container using custom annotation for each of the template files:

vault.hashicorp.com/agent-inject-template-properties: application.properties
vault.hashicorp.com/agent-inject-template-path-properties: /apps/conf/application.properties
vault.hashicorp.com/agent-inject-template-server: server.xml
vault.hashicorp.com/agent-inject-template-path-server: /usr/local/tomcat/conf/server.xml

Otherwise, additional start up scripts are required to place rendered configurations to their proper locations, what is not really handy

[jasonodonnell]

Hi @tsurankov, I may be wrong about what you're requesting, but we already support mounting a ConfigMap with a Vault Agent configuration file and supporting templates. You could choose where to render the templates this way.

See our documentation for an example: https://www.vaultproject.io/docs/platform/k8s/injector/examples/#configmap-example

[dawidmalina]

I agree with @tsurankov that it would be desired to have simple way to define (through annotation) destination of the generated template. Keep in mind @jasonodonnell that not all application can be reconfigured to use path like /vault/secrets/application.properties and using configmap as you suggested (even if it possible) is not simple way.

[gunnypatel]

@jasonodonnell is there currently a way to support using a template file that isn't embedded into the agent configuration file? Can we use a template that's already in a configmap?

[virtrixke]

I use a template to generate the xml files. I did some tests in a container running Camunda BPM (running on tomcat). I get the following result:

What about the userid? 100 is not know to Camunda it uses id 1000 (100 = vault uid) so it crashes with 'access denied' on these files. I was expecting uid and gid be like camunda:camunda? Or am I missing something?

[tsurankov]

@virtrixke all that I can recommend is adding an init script to the command block of container's spec that will change permissions, ownership and copy the file from the mounted volume to the path that you need for your app.

cp /vault/secrets/server.xml /usr/local/tomcat/conf/server.xml;
chmod 644 /usr/local/tomcat/conf/server.xml;
chown uid:gid /usr/local/tomcat/conf/server.xml;

Then start tomcat Also, It is possible to set permissions and execute a command after secrets rendering in vault-agent's config file. So you can try something like this:

template {
    source      = "/vault/configs/server.xml.ctmpl"
    destination = "/vault/secrets/server.xml"
    perms = "0644"
    command = "chown uid:gid /vault/secrets/server.xml"
}

Anyway, I have decided to declare vault-agent init and sidecar containers manually instead of using agent-injector. I find this approach more flexible.

@jasonodonnell The initial issue is that agent-injector doesn't allow mounting rendered secrets separately to different locations using SubPath. Also, I am not sure that it is possible to mount them to a custom folder instead of default one which is /vault/secrets

[virtrixke]

Hmm yes. Mounting to SubPath would be a great help and a necessary feature for vault agent injector I suppose.

[virtrixke]

In the end we had to do something like this:

 command: 
 - /bin/sh
 - -c
 - cp -v /vault/secrets/server.xml /camunda/conf/server.xml && cp -v /vault/secrets/bpm-platform.xml /camunda/conf/bpm-platform.xml && exec /camunda/camunda.sh

Its not clean but it will do until SubPath is allowed properly....

[dcshiman]

i have noticed that vault-k8s agent mutates the deployment and adds

 - emptyDir:
      medium: Memory
    name: vault-secrets

if the agent allows to override the volume, i think we can achieve this by mounting the volume into the pods.

[mbwkww]

Waiting/hoping this feature gets added as well. The functionality we are trying to replicate is the ability to template secrets to arbitrary locations within the file system and the lack of subPaths is preventing that.

Copying the file from the mounted volume to some other location in the filesystem as suggested above has several permissions issues as well -- namely that if you choose to do this via the template.command hcl block, the user is vault, not root of the final container and the final location of the templated secret (/etc/somewhere in the example below) is outside of the mounted, shared volume, as specified via annotation (/vault/secrets in the example).

template {
    source      = "/vault/secrets/secret.tpl"
    destination = "/vault/secrets/mysecret"
    command = "cp /vault/secrets/mysecret /etc/somewhere/mysecret"
}

We are resorting to symlinks in our final container until functionality that allows the mounting of templated secrets to more locations is added. This could take the form of allowing for subPaths as is suggested above.

[mrkwtz]

We would really like this to get implemented. We want to store a file with a secret in the same location of a container where the application files reside (like /opt/app) but when we use the secret-volume-path annotation (with /opt/app) the location gets overwritten with only the secret.

[norman-zon]

I too would find it very useful to be able to mount as SubPath.

[karthick-veluswamy-nbs]

Using full path for the annotation "vault.hashicorp.com/agent-inject-file-appd" renders with subpath on volumes. vault.hashicorp.com/agent-inject-file-foo: "/app/run/secret.txt"