Injecting Dynamic PostgreSQL Credentials into Kubernetes Applications via Vault Agent Injector and HCP Vault Dedicated – HashiCorp Help Center

Objective

This article provides step-by-step guidance on how to inject dynamic PostgreSQL database credentials into Kubernetes applications using the Vault Agent Injector with HCP Vault Dedicated.

Prerequisites

An HCP Vault Dedicated cluster up and running
A PostgreSQL database accessible from Vault
A Kubernetes cluster where your applications are deployed
kubectl, Helm, and Vault CLI installed and configured

Refer : Prerequisites

Overview of Steps

Configure the Database Secrets Engine in HCP Vault
Enable and Configure the Kubernetes Auth Method
Install Vault Agent Injector in the Kubernetes Cluster
Inject Secrets into Your Kubernetes Applications

Step 1: Configure the Database Secrets Engine for PostgreSQL

Enable the database secrets engine (if not already enabled):
```
vault secrets enable database
```

Configure the PostgreSQL connection:

vault write database/config/postgres \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_URL/postgres?sslmode=disable" \
allowed_roles=readonly \
username="root" \
password="xxxxxxx"

Define the SQL used to create credentials.

tee readonly.sql <<EOF
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' INHERIT;
GRANT ro TO "{{name}}";
EOF

4. Create a role to generate dynamic credentials:

vault write database/roles/readonly \
db_name=postgres \
creation_statements=@readonly.sql \
default_ttl=1h \
max_ttl=24h

Step 2: Enable and Configure Kubernetes Auth Method

Refer this to enable and configure kubernetes auth method.

Step 3: Install the Vault Agent Injector in Kubernetes

Add the HashiCorp Helm repository:

helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update

Install the Vault Helm chart with Injector enabled:

helm install vault hashicorp/vault \
--set "global.externalVaultAddr=$VAULT_ADDR" \

Step 4: Inject Secrets into Kubernetes Applications

Annotate your pod/deployment with Vault injection annotations. Sample given below:-

metadata:
      annotations:
               vault.hashicorp.com/agent-inject: 'true'
               vault.hashicorp.com/agent-inject-status: "updated"
               vault.hashicorp.com/agent-image: "hashicorp/vault:latest"
               vault.hashicorp.com/agent-cache-enable: "true"
               vault.hashicorp.com/log-level: "trace"
               vault.hashicorp.com/role: '<kubernetes-auth-role-name>'
               vault.hashicorp.com/agent-inject-secret-credentials.txt: 'database/creds/readonly'
               vault.hashicorp.com/agent-inject-template-vault.yaml: |
                        {{- with secret "database/creds/readonly" }}
                        {{ printf "db_username:" }} {{ .Data.username }}
                        {{ printf "db_password:" }} {{ .Data.password }}
                        {{- end }}
              vault.hashicorp.com/namespace: 'admin'

The Vault Agent Injector will automatically:
- Authenticate with Vault using the Kubernetes auth method
- Retrieve the dynamic PostgreSQL credentials
- Inject them into the pod and these dynamic credentials gets stored in file "credentials.txt" at location /vault/secrets directory in vault-agent sidecar container.

Verification

Logs of the application pod should confirm secrets were injected successfully.
You can also exec into the pod and check the contents of the injected file:
```
cat /vault/secrets/credentials.txt
```

References

https://developer.hashicorp.com/vault/tutorials/db-credentials/database-secrets

https://developer.hashicorp.com/vault/tutorials/integrate-kubernetes-hcp-vault-dedicated/kubernetes-hcp-vault#kubernetes-auth-method-authentication