Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

usage of injector in deployments defined in helm chart #68

Open
dbeal-wiser opened this issue Feb 4, 2020 · 10 comments
Open

usage of injector in deployments defined in helm chart #68

dbeal-wiser opened this issue Feb 4, 2020 · 10 comments
Labels
docs Improvements or additions to documentation enhancement New feature or request

Comments

@dbeal-wiser
Copy link

when defining an injection template annotation within a deployment defined within a helm chart, the following syntax is required due to golang templates using the same syntax (using one of the examples from the website):

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-example
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-example-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-example
  template:
    metadata:
      labels:
        app: app-example
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
        vault.hashicorp.com/agent-inject-template-db-creds: |
          # for helm we have to escape golang templates to use golang templates for vault
          {{ printf `{{- with secret \"database/creds/db-app\" -}}
          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable
          {{- end }}` }}
        vault.hashicorp.com/role: "db-app"
        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
        vault.hashicorp.com/client-cert: "/vault/tls/client.crt"
        vault.hashicorp.com/client-key: "/vault/tls/client.key"
        vault.hashicorp.com/tls-secret: "vault-tls-client"
    spec:
      containers:
        - name: app
          image: "app:1.0.0"
      serviceAccountName: app-example

this syntax does not seem immediately obvious to me, and I understand it would be difficult to change. Could a documentation example/info be added to cover info about using vault inject templates being used inside a helm chart?

@jasonodonnell
Copy link
Contributor

jasonodonnell commented Feb 4, 2020

Hi @dbeal-wiser, this should work:

   annotations:  
        vault.hashicorp.com/agent-inject-template-account: |
          {{` {{- with secret "path/to/secret" -}}
          {{ .Data.test }}
          {{- end }} `}}

We can add this to the doc!

@jasonodonnell jasonodonnell added docs Improvements or additions to documentation enhancement New feature or request labels Feb 4, 2020
@imranity
Copy link

@jasonodonnell follow-up question, what if "path/to/secret" comes from values.yaml
i want to use something like:

   annotations:  
        vault.hashicorp.com/agent-inject-template-account: |
          {{` {{- with secret .Values.vault.path  -}}
          {{ .Data.test }}
          {{- end }} `}}

@imranity
Copy link

got it working 🎆

        vault.hashicorp.com/agent-inject-template-account: |
          {{printf "{{- with secret "}} {{ .Values.vault.path }} {{ ` -}} 
          {{ .Data.test }}
          {{- end }} `}}

@imranity
Copy link

imranity commented Feb 13, 2020

got the ultimate solution for my use case of creating a secret file like:

VAL1=secret1
VAL2=secret2
VAL3=secret3

to get something like above in vault/secrets/creds file, where the VALx are retrieved from helm values.yaml. (and are automatically rendered as uppercase by helm), they are declared as following in helm values.yaml:

external_secrets:
  secrets:
    val1: some value 
     val2: any value

solution

        vault.hashicorp.com/agent-inject-template-creds: |
          # get the value of secret path from helm values.yaml and quote it 
          {{printf "{{- with secret "}}{{ .Values.vault.path | quote }}{{` -}}`}}
          # iterate over the values val1, val2 etc from helm values.yaml, each va1 a data key from secret 
          {{- range $key, $value := .Values.external_secrets.secrets }}
          {{ upper $key }}{{ printf "={{.Data.data."}}{{$key}} {{` }} `}}
          {{- end }}
          {{ `{{- end }} `}}

@iusergii
Copy link

I guess annotation for overwriting left, right delimiter would help with this. Can't find then in doc
@jasonodonnell is there any plan to add them.

@byronmansfield
Copy link

I would like to note for anyone else struggling with this and keep getting

[ERROR] templates/deployment.yaml: unable to parse YAML: error converting YAML to JSON: yaml: line 40: did not find expected key

In my case, I had to remove the space between the backtick and and the {{

annotations:
  ...
  vault.hashicorp.com/agent-inject-template-base: |
    {{`{{ with secret "apps/base" }}
      {{ range $k, $v := .Data }}
        {{ $k }}: {{ $v }}
      {{ end }}
    {{ end }}`}}

And the error went away. Not sure if I am doing something different or wrong, but it frustrated me for so long. Thanks for all the helpful comments and examples in here guys. It saved me from struggling even more :)

@FalconerTC
Copy link

Would love to see an annotation to customize left and write delimiters to make this easier to use with Helm!

@caitlinelfring
Copy link

I opened a PR that will allow you to define delimiters via annotations. Hopefully this will help with the pains of using a vault template within a helm chart #226

@mister2d
Copy link

mister2d commented Sep 25, 2022

Hi @dbeal-wiser, this should work:

   annotations:  
        vault.hashicorp.com/agent-inject-template-account: |
          {{` {{- with secret "path/to/secret" -}}
          {{ .Data.test }}
          {{- end }} `}}

We can add this to the doc!

This does not work. The injector agent complains with:

{
  "@level": "error",
  "@message": "runtime error encountered",
  "@timestamp": "2022-09-25T06:18:27.359853Z",
  "error": "template server: (dynamic): parse: template: :1: bad character U+002F '/'"
}

@orenlevi111
Copy link

        vault.hashicorp.com/agent-inject-template-config: | 
           {{`{{- with secret `}}{{ .Values.vault.path | quote }} {{`-}} 
             {{ range $Key, $Value := .Data.data }} 
             "export {{$Key}}={{$Value}}" 
             {{ end }} 
           {{- end -}}`}}

Works for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

9 participants