ChrisJBurns
commented
1 year ago Ok, so, it seems to be somewhat working now after spamming as many combinations of the Vault Agent Annotations as possible.
For the record and also other's who are reading this thread, to enable the above to work I had to do 2 things.
The addition of the agent-cache-enable annotation to true. I did try a bunch of others:
vault.hashicorp.com/agent-inject-token: "true"
vault.hashicorp.com/agent-cache-listener-port: "8200"
vault.hashicorp.com/agent-cache-use-auto-auth-token: "force"But the agent-cache-enable was the only annotation that made any effect.
Secondly, I also noticed that there were SSL problems when connecting to Agent because it was doing a secure request via https://localhost:8200. To stop this, I just added scheme in the bootstrap config, and it ended up looking like:
spring:
cloud:
vault:
kv:
enabled: true
scheme: http
authentication: NONERealistically, I should probably set the uri instead to http://localhost:8200 just so it's completely explicit - but am happy that it works for now.
Lastly the annotations used where the following:
kind: Deployment
apiVersion: apps/v1
metadata:
name: bot-test
namespace: development
labels:
app: bot-test
spec:
replicas: 1
selector:
matchLabels:
app: bot-test
template:
metadata:
labels:
app: bot-test
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'gitbot-sa'
vault.hashicorp.com/namespace: "development"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-cache-enable: "true"I think it's best that we at least add some documentation around this? As I remember trying to do this on other projects and got no luck and have to give up, I had a bit more time this time around to get it working. I'd love to help others reduce time spent finding the above out the hard way if possible?
Describe the bug Using version
2.2.7.RELEASEofspring-cloud-starter-vault-configand I have got the followingbootstrap.yamlWhen I deploy it into Kubernetes, with the following annotations on the Deployment
I can see that the
vault-initstarts, then thevault-agentindeed starts and runs. When the Spring App runs, I see the followingIgnoring the issue that the KV Engine is Version 2 and for some reason isn't recognising it (have raised this here https://github.com/spring-projects/spring-vault/issues/738), but it doesn't seem to be connecting to the Vault Agent. Tbh, I'm not entirely sure how the whole
NONEauthentication stuff works, because there isn't any actual code examples of this on any docs - apart from just saying to useNONE. Am I misunderstanding the entire thing, or is the above a genuine issue?Previous to this, we were using
Kubernetesauthentication to retrieve the secrets, but we want to cut down the code by just using the Vault Agent - but are having the above problems.To note: There is nothing wrong with the injection of secrets into the main container, so we know that in terms of injecting secrets using the Vault Secret Injection Template works. We just can't figure out why Spring itself can't pull the secrets through the Vault Agent.