Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error when using templates #51

Open
paulrostorp opened this issue Jan 15, 2020 · 4 comments
Open

Error when using templates #51

paulrostorp opened this issue Jan 15, 2020 · 4 comments
Labels
injector Area: mutating webhook service question A general question about usage

Comments

@paulrostorp
Copy link

I'm getting an error when using templates with the injector, I cannot find any documentation to enlighten me...
When injecting directly through annotations (like so: "vault.hashicorp.com/agent-inject-secret-demo: "demo/secret") I get no error, but when using a template (both in annotation or configmap) I get this error:

Error loading configuration from /vault/configs/config-init.hcl: At 22:44: expected '/' for comment

Here is my the configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
  labels:
    app: hello
data:
  config.hcl: |
    "auto_auth" = {
      "method" = {
        "config" = {
          "role" = "demo"
        }
        "type" = "kubernetes"
      }

      "sink" = {
        "config" = {
          "path" = "/vault/.token"
        }

        "type" = "file"
      }
    }

    "exit_after_auth" = false
    "pid_file" = "/vault/.pid"

    "template" = {
      "contents" = "demo/secret"
      "destination" = "/vault/secrets/demo"
    }

    "vault" = {
      "address" = "http://vault:8200"
    }
  config-init.hcl: |
    "auto_auth" = {
      "method" = {
        "config" = {
          "role" = "demo"
        }
        "type" = "kubernetes"
      }

      "sink" = {
        "config" = {
          "path" = "/vault/.token"
        }

        "type" = "file"
      }
    }

    "exit_after_auth" = true
    "pid_file" = "/vault/.pid"

    "template" = {
      "contents" = "{{ secret "demo/secret" }}"
      "destination" = "/vault/secrets/demo"
    }

    "vault" = {
      "address" = "http://vault:8200"
    }

I also get the same error when doing something like this:

{{- with secret "demo/secret" -}}{{ .Data.key }}{{- end }}

Any suggestions ?

@jasonodonnell
Copy link
Contributor

jasonodonnell commented Jan 15, 2020

You can find some examples here: https://www.vaultproject.io/docs/platform/k8s/injector/examples.html#vault-agent-injector-examples.

The error is happening because of this: "contents" = "demo/secret" in your config.hcl

Both contents (config.hcl and config-init.hcl) should be:

{{- with secret "demo/secret" -}}{{ .Data.key }}{{- end }}

@paulrostorp
Copy link
Author

paulrostorp commented Jan 16, 2020

@jasonodonnell My bad that was a mistake when replacing my secrets names with demo. That is the configuration I had. The error is still occurring...
Also the example doesn't work.

@phi2039
Copy link

phi2039 commented Jan 17, 2020

I encountered the same issue. The inner double-quotes must be escaped if contained in a string literal:

"template" = {
      "contents" = "{{- with secret \"demo/secret\" -}}{{ .Data.key }}{{- end }}"
      "destination" = "/vault/secrets/demo"
}

(...and it wouldn't hurt to check if you also fat-fingered and put the template inside the 'auto_auth' stanza like I did 😀 )

@tvoran tvoran added question A general question about usage injector Area: mutating webhook service labels Jan 22, 2020
@semihural
Copy link

semihural commented Apr 27, 2021

Hi.. I had the similar issue.. /vault/configs/config-init.hcl: At 23:28: illegal char... how can I fix this ?

apiVersion: v1
kind: ConfigMap
metadata:
  name: docuplatform-backend-configmap
data:
  config.hcl: |
    "auto_auth" = {
      "method" = {
        "config" = {
          "role" = "docuplatform-backend"
        }
        "type" = "kubernetes"
      }
      "sink" = {
        "config" = {
          "path" = "/home/vault/.token"
        }
        "type" = "file"
      }
    }
    "exit_after_auth" = false
    "pid_file" = "/home/vault/.pid"
    "template" = {
      "contents" = "{{`{{- with secret \"secret/data/docuplatform-backend\" -}}
        "auth_client_id_stage" : "{{ .Data.auth_client_id_stage }}",
        "auth_client_id_testing" : "{{ .Data.auth_client_id_testing }}"
      {{- end }}`}}"
      "destination" = "/vault/secrets/docuplatform-backend"
    }
    "vault" = {
      "address" = "https://vault.vault.svc.cluster.local:8200"
    }
  config-init.hcl: |
    "auto_auth" = {
      "method" = {
        "config" = {
          "role" = "docuplatform-backend"
        }
        "type" = "kubernetes"
      }
      "sink" = {
        "config" = {
          "path" = "/home/vault/.token"
        }
        "type" = "file"
      }
    }
    "exit_after_auth" = true
    "pid_file" = "/home/vault/.pid"
    "template" = {
      "contents" = "{{`{{- with secret \"secret/data/docuplatform-backend\" -}}
        "auth_client_id_stage" : "{{ .Data.auth_client_id_stage }}",
        "auth_client_id_testing" : "{{ .Data.auth_client_id_testing }}"
      {{- end }}`}}"
      "destination" = "/vault/secrets/docuplatform-backend"
    }
    "vault" = {
      "address" = "https://vault.vault.svc.cluster.local:8200"
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
injector Area: mutating webhook service question A general question about usage
Projects
None yet
Development

No branches or pull requests

5 participants