What?
This article demonstrates how to configure an agent injector or agent injector init container to fetch a static secret (especially Kvv2) after authenticating itself from an auth method enabled at the parent/root namespace.
How?
This is currently achieved by using the agent annotation, i.e., "vault.hashicorp.com/agent-inject-secret-", which configures Vault Agent to retrieve the secrets from Vault required by the container. The name of the secret is any unique string after vault.hashicorp.com/agent-inject-secret-
, such as vault.hashicorp.com/agent-inject-secret-<secret_name>: <value>
. The value is the path in Vault where the secret is located.
For example, when both auth and secret are in the same namespace:
vault.hashicorp.com/agent-inject-secret-my-secret: core/certificates/my-secret
This, especially the value, will be modified a little in the case when the static secret will be in a different namespace, for example:
vault.hashicorp.com/agent-inject-secret-my-secret: <namespace_name>/core/data/certificates/my-secret
Why?
The Vault annotation is capable of bifurcating the string into namespace-mount-path
correctly, but the template (executed by the consul-template
binary, which is used by the Vault agent binary under the hood) isn't.
Hence, we had to put the data
explicitly to make the consul-template
binary aware of the mount, i.e., kvv2
, and how to correctly form the API path to query the Vault server.
In the above examples, "core" represents the path where the Kvv2 is mounted.
Important!
This article assumes that the policy attached to the token generated after authentication has sufficient permissions on the API paths required to provide access to the static secret inside the namespace.