search

hashicorp / vault-k8s

First-class support for Vault and Kubernetes.
Mozilla Public License 2.0
784 stars 171 forks source link

List secrets from KV engine and mount them inside Pod #87

Open ArkeologeN opened 4 years ago

ArkeologeN commented 4 years ago

Background:

We are running a sidecar container (agent injector) within our Kubernetes application cluster. The template literals work fine for the following case:

{{- with secret \"kv/svcDeploy/config/project/somethting.json\" }}
{{ .Data.data | toJSONPretty }}
{{- end }}

And the above solves a partial thought only. Since we have over ~30 secrets at the path: kv/svcDeploy/config/project, I want to be able to list them all and mount inside the Pod, rather than declaring a template again and again.

NOT PREFERRED:

Following is not the preferred way, altough it could work:

{{- with secret \"kv/svcDeploy/config/project/somethting.json\" }}
{{ .Data.data | toJSONPretty }}
{{- end }}

{{- with secret \"kv/svcDeploy/config/project/somethting-again.json\" }}
{{ .Data.data | toJSONPretty }}
{{- end }}

.....

PREFERRED WAY:

{{ range secrets \"kv/svcDeploy/config/project/\" }}
  {{ with secret (printf \"kv/svcDeploy/config/project/%s\" .) }}
    {{ range $k, $v := .Data }} {{ $k }}: {{ $v }} {{ end }}
  {{ end }}
{{ end }}

As per the documentation (with secrets.), it should work, but it does nothing. There is no file created nor there is an error.

And here is the actual definition:

"auto_auth" = {
      "method" = {
        "config" = {
          "role" = "myapp"
        }
        "type" = "kubernetes"
      }

      "sink" = {
        "config" = {
          "path" = "/home/vault/.token"
        }

        "type" = "file"
      }
    }

    "exit_after_auth" = false
    "pid_file" = "/home/vault/.pid"

    "template" = {
      "error_on_missing_key" = false
      "contents" = "{{ range secrets \"kv/svcDeploy/config/project/\" }} {{ with secret (printf \"kv/svcDeploy/config/project/%s\" .) }}{{ range $k, $v := .Data }} {{ $k }}: {{ $v }} {{ end }}{{ end }}{{ end }}"
      "destination" = "/vault/secrets/config/project/output.json"
    }

    "log_level" = "debug"

    "vault" = {
      "address" = "https://127.0.0.1"
      "tls_skip_verify" = true
    }
alek-sys commented 3 years ago

I found this comment helpful to solve the problem for KV V2 storage at least. TL;DR - to list secrets in a KV path, use kv/svcDeploy/config/project/metadata instead of kv/svcDeploy/config/project/ (note metadata in the end).

cannonpalms commented 2 years ago

There is no bug here. You must do two things for wildcards to functionwith the KV2 engine:

Here's an example:

vault.hashicorp.com/agent-inject-secret-foo: mount/path/to/secrets/*
vault.hashicorp.com/agent-inject-template-foo: |
  {{ range secrets "mount/metadata/path/to/secrets/*" }}
  {{ with secret (printf "mount/path/to/secrets/%s" .) }}
  ...
  {{ end }}
  {{ end }}