未在 kubernetes 中获取 Hashicorp 保险库机密
[英]Hashicorp vault secrets not fetched in kubernetes
问题描述
I have created some secrets in vault, and I'm passing the variables as below.
我在保险库中创建了一些秘密,并且正在传递变量,如下所示。 But the secrets are not fetched.但秘密没有被提取。
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-vault-addr: 'https://vaultadd.com'
vault.hashicorp.com/auth-type: 'approle'
vault.hashicorp.com/auth-path: 'auth/approle'
vault.hashicorp.com/auth-config-role-id-file-path: '/vault/custom/role-id'
vault.hashicorp.com/auth-config-secret-id-file-path: '/vault/custom/secret-id'
vault.hashicorp.com/agent-extra-secret: 'mysecret'
vault.hashicorp.com/role: 'myrole'
vault.hashicorp.com/auth-config-remove_secret_id_file_after_reading: 'false'
vault.hashicorp.com/log-level: 'debug'
vault.hashicorp.com/agent-inject-secret-MY-SECRET: 'secret/mysecret/secrets'
vault.hashicorp.com/agent-inject-template-MY-SECRET: |
{{ with secret "secret/mysecret/secrets" -}}
export username={{ .Data.username}}
export password={{ .Data.password }}
{{- end }}
And in Args I have mentioned below我在下面提到的 Args
args:
["sh", "-c", "source /vault/secrets/config && MY_ENTRYPOINT"]
2 个解决方案
解决方案1
0 2022-07-25 12:16:56
Kindly use environment variable annotation instead of file template annotation.请使用环境变量注释而不是文件模板注释。
Please change the annotation as below请更改注释如下
vault.hashicorp.com/agent-inject-secret-config: 'secret/mysecret/secrets'
vault.hashicorp.com/agent-inject-template-config: |
{{ with secret "secret/mysecret/secrets" -}}
export username={{ .Data.username}}
export password={{ .Data.password }}
{{- end }}
解决方案2
0 2022-07-25 12:55:44
The Kubernetes API typically runs on the master nodes, and the Vault Agent injector on a worker node in a Kubernetes cluster. Kubernetes API 通常在主节点上运行,而保险柜代理注入器则在 Kubernetes 集群中的工作节点上运行。
The example demonstrates how templates can be used to create environment variables.该示例演示了如何使用模板来创建环境变量。 A template should be created that exports a Vault secret as an environment variable and the application container should source those files during startup.应创建一个将 Vault 机密导出为环境变量的模板,并且应用程序容器应在启动期间获取这些文件。
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
labels:
app: web
spec:
replicas: 1
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'web'
vault.hashicorp.com/agent-inject-secret-config: 'secret/data/web'
# Environment variable export template
vault.hashicorp.com/agent-inject-template-config: |
{{ with secret "secret/data/web" -}}
export api_key="{{ .Data.data.payments_api_key }}"
{{- end }}
spec:
serviceAccountName: web
containers:
- name: web
image: alpine:latest
args:
['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']
ports:
- containerPort: 9090
Before applying Vault Agent injection annotations to pods, the following requirements should be satisfied.在将 Vault Agent 注入注解应用于 pod 之前,应满足以下要求。
1.The Kubernetes API can connect to the Vault Agent injector service on port 443, and the injector can connect to the Kubernetes API 1.The Kubernetes API can connect to the Vault Agent injector service on port 443, and the injector can connect to the Kubernetes API
2.Vault can connect to the Kubernetes API 2.Vault可以连接Kubernetes API
3.Pods in the Kubernetes cluster can connect to Vault. 3.Kubernetes集群中的Pods可以连接Vault。
解决方案3
0 2022-08-08 13:48:14
If you are using the latest KV2 the path to the secret is <KV2-root-path>/data/<path-within-the-kv2>如果您使用的是最新的 KV2,则密钥的路径是<KV2-root-path>/data/<path-within-the-kv2>
So if your KV2 is called secret then: ... with secret secret/data/mysecret/secrets...因此,如果您的 KV2 被称为secret ,那么: ... with secret secret/data/mysecret/secrets...
Is the vault agent sidecar injected though?保险库代理边车是否已注入? Does it have any logs?它有任何日志吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.