Injecting vault secrets into Kubernetes Pod Environment variable

1
votes

I'm trying to install Sonarqube in Kubernetes environment which needs PostgresSQL. I'm using an external Postgres instance and I have the crednetials kv secret set in Vault. SonarQube helm chart creates an Environment variable in the container which takes the username and password for Postgres.

How can I inject the secret from my Vault to environment variable of sonarqube pod running on Kubernetes?

Creating a Kubernetes secret and suing the secret in the helm chart works, but we are managing all secrets on Vault and need Vault secrets to be injected into pods.

Thanks

4
postgresqlkubernetessonarqubehashicorp-vaultkubernetes-secrets

4 Answers

2
votes

If you are facing issue in injecting secret using consul sidecar container and finding it very difficult to setup you can use this : https://github.com/DaspawnW/vault-crd

This is vault-custom resource definition which directly sync vault environment variables to kuberntes secret so now you can directly add secret to POD. with secretref.

vault crd create one pod in which you have to pass vault service name or URL using which application can connect to vault and on changes in vault value it will automatically sync value to kubernetes secret.

https://vault.koudingspawn.de/

1
votes

You need to use a parent process that will talk to vault and retrieve the value, and then run your real process. https://github.com/hashicorp/envconsul is the marginally official tool for this from the Vault team, but there are many other options if you go looking.

1
votes

There are 2 ways to inject vault secrets into the k8s pod as ENV vars.

1) Use the vault Agent Injector

A template should be created that exports a Vault secret as an environment variable.

spec:
  template:
    metadata:
      annotations:
        # Environment variable export template
        vault.hashicorp.com/agent-inject-template-config: |
          {{ with secret "secret/data/web" -}}
            export api_key="{{ .Data.data.payments_api_key }}"
          {{- end }}

And the application container should source those files during startup.

args:
  ['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']

Reference: https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example

2) Use banzaicloud bank-vault

Reference: https://banzaicloud.com/blog/inject-secrets-into-pods-vault-revisited/.

Comments:

Both methods are bypassing k8s security because secrets are not stored in etcd. In addition, pods are unaware of vault in both methods. So any one of these can be adopted without a deep comparison.

For vault-k8s and vault-helm users, I recommend the first method.