Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add file annotation #158

Merged
merged 6 commits into from
Jul 23, 2020
Merged

Add file annotation #158

merged 6 commits into from
Jul 23, 2020

Conversation

tvoran
Copy link
Member

@tvoran tvoran commented Jul 23, 2020

(Continues #89, fixes #88)

Adds new annotation vault.hashicorp.com/agent-inject-file. This sets the filename and path in the secrets volume where a vault secret will be written. The container mount path for the secrets volume may be modified with the secret-volume-path annotation.

This allows for filenames that aren't limited in length as k8s annotation keys, and for arbitrary directory structures in the secrets volume.

Samuel Beaulieu and others added 5 commits February 28, 2020 15:59
as per issue #88 before this fix
the secret filename was limited to 21 chars and could not contain a directory
separator /.
This fix introduces two new annotations to use together
vault.hashicorp.com/agent-inject-location to specify the vault secret location
vault.hashicorp.com/agent-inject-filename to specify the filename to realize
It has the advantage of allowing long filenames, include directory separators
and if the location is absolute, it will create the file there, effectively giving
the option to save outside of /vault/secrets/
Instead of both a location and filename annotation directive that
deprecates the secret annotation, only add a file directive that
allows specifying an optional file path and name for the rendered
secrets.
Copy link

@catsby catsby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good so far, I left some minor suggestions. I don't quite get the significance of the mentioned absolute pathing (e.g. /some/file vs some/file), they appear to me to produce the same results. Can you help me understand the difference/functionality?

agent-inject/agent/annotations.go Outdated Show resolved Hide resolved
agent-inject/agent/config.go Show resolved Hide resolved
agent-inject/agent/config_test.go Outdated Show resolved Hide resolved
Refactored how a secret is assembled. Simplified the filePathAndName
logic. Tried to make some test descriptions more clear.
@tvoran
Copy link
Member Author

tvoran commented Jul 23, 2020

I don't quite get the significance of the mentioned absolute pathing (e.g. /some/file vs some/file), they appear to me to produce the same results.

Yeah, going through this again I think calling out absolute pathing is unnecessary, since both styles just end up inside the secrets volume, i.e. you can't specify an absolute path to write something outside in an arbitrary location within the container. Tried to simplify some of that language in the PR description and code comments in b96d6b4.

Copy link

@catsby catsby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! 👍

@andrejvanderzee
Copy link
Contributor

Will this be released soon? We also have a use-cases for specifying the filename of a secret: We have multiple secrets with same expected file names, each written to its own, different mounted volume path vault.hashicorp.com/secret-volume-path. Would be super-convenient if we could override the filename by vault.hashicorp.com/agent-inject-file.

@jasonodonnell
Copy link
Contributor

@andrejvanderzee Most likely Monday, August 24th!

@jasonodonnell jasonodonnell mentioned this pull request Aug 24, 2020
NLRemco pushed a commit to NLRemco/vault-k8s that referenced this pull request Feb 22, 2022
Adds new annotation `vault.hashicorp.com/agent-inject-file`. This sets
the filename and path in the secrets volume where a vault secret will
be written. The container mount path for the secrets volume may be
modified with the `secret-volume-path` annotation.

This allows for filenames that aren't limited in length as k8s
annotation keys, and for arbitrary directory structures in the secrets
volume.

Co-authored-by: Samuel Beaulieu <samuel@puppetlabs.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Metadata annotations are limited to 63 char, filename is embedded in annotation
4 participants