2019-12-18 18:44:14 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: Agent Sidecar Injector Overview
|
|
|
|
sidebar_title: Agent Injector
|
|
|
|
description: >-
|
|
|
|
The Vault Agent Sidecar Injector is a Kubernetes admission webhook that adds
|
|
|
|
Vault Agent containers to pods for consuming Vault secrets.
|
2019-12-18 18:44:14 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Agent Sidecar Injector
|
|
|
|
|
|
|
|
The Vault Agent Injector alters pod specifications to include Vault Agent
|
2020-01-18 00:18:09 +00:00
|
|
|
containers that render Vault secrets to a shared memory volume using
|
2020-01-22 20:05:41 +00:00
|
|
|
[Vault Agent Templates](/docs/agent/template).
|
2020-01-18 00:18:09 +00:00
|
|
|
By rendering secrets to a shared volume, containers within the pod can consume
|
2019-12-18 18:44:14 +00:00
|
|
|
Vault secrets without being Vault aware.
|
|
|
|
|
|
|
|
The injector is a [Kubernetes Mutation Webhook Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/).
|
|
|
|
The controller intercepts pod events and applies mutations to the pod if annotations exist within
|
2020-01-18 00:18:09 +00:00
|
|
|
the request. This functionality is provided by the [vault-k8s](https://github.com/hashicorp/vault-k8s)
|
2019-12-18 18:44:14 +00:00
|
|
|
project and can be automatically installed and configured using the
|
|
|
|
[Vault Helm](https://github.com/hashicorp/vault-helm) chart.
|
|
|
|
|
|
|
|
## Overview
|
|
|
|
|
|
|
|
The Vault Agent Injector works by intercepting pod `CREATE` and `UPDATE`
|
2020-01-18 00:18:09 +00:00
|
|
|
events in Kubernetes. The controller parses the event and looks for the metadata
|
|
|
|
annotation `vault.hashicorp.com/agent-inject: true`. If found, the controller will
|
2019-12-18 18:44:14 +00:00
|
|
|
alter the pod specification based on other annotations present.
|
|
|
|
|
|
|
|
### Mutations
|
|
|
|
|
|
|
|
At a minimum, every container in the pod will be configured to mount a shared
|
2020-01-18 00:18:09 +00:00
|
|
|
memory volume. This volume is mounted to `/vault/secrets` and will be used by the Vault
|
2019-12-18 18:44:14 +00:00
|
|
|
Agent containers for sharing secrets with the other containers in the pod.
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
Next, two types of Vault Agent containers can be injected: init and sidecar. The
|
2019-12-18 18:44:14 +00:00
|
|
|
init container will prepopulate the shared memory volume with the requested
|
2020-01-18 00:18:09 +00:00
|
|
|
secrets prior to the other containers starting. The sidecar container will
|
2019-12-18 18:44:14 +00:00
|
|
|
continue to authenticate and render secrets to the same location as the pod runs.
|
|
|
|
Using annotations, the initialization and sidecar containers may be disabled.
|
|
|
|
|
|
|
|
Last, two additional types of volumes can be optionally mounted to the Vault Agent
|
2020-01-18 00:18:09 +00:00
|
|
|
containers. The first is secret volume containing TLS requirements such as client
|
2019-12-18 18:44:14 +00:00
|
|
|
and CA (certificate authority) certificates and keys. This volume is useful when
|
2020-01-18 00:18:09 +00:00
|
|
|
communicating and verifying the Vault server's authenticity using TLS. The second
|
|
|
|
is a configuration map containing Vault Agent configuration files. This volume is
|
2019-12-18 18:44:14 +00:00
|
|
|
useful to customize Vault Agent beyond what the provided annotations offer.
|
|
|
|
|
|
|
|
### Authenticating with Vault
|
|
|
|
|
|
|
|
The primary method of authentication with Vault when using the Vault Agent Injector
|
2020-01-18 00:18:09 +00:00
|
|
|
is the service account attached to the pod. At this time, no other authentication
|
2019-12-18 18:44:14 +00:00
|
|
|
method is supported by the controller.
|
|
|
|
|
|
|
|
The service account must be bound to a Vault role and a policy granting access to
|
|
|
|
the secrets desired.
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
A service account must be present to use the Vault Agent Injector. It is _not_
|
2019-12-18 18:44:14 +00:00
|
|
|
recommended to bind Vault roles to the default service account provided to pods
|
|
|
|
if no service account is defined.
|
|
|
|
|
|
|
|
### Requesting Secrets
|
|
|
|
|
|
|
|
There are two methods of configuring the Vault Agent containers to render secrets:
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- the `vault.hashicorp.com/agent-inject-secret` annotation, or
|
|
|
|
- a configuration map containing Vault Agent configuration files.
|
2019-12-18 18:44:14 +00:00
|
|
|
|
|
|
|
Only one of these methods may be used at any time.
|
|
|
|
|
|
|
|
#### Secrets via Annotations
|
|
|
|
|
|
|
|
To configure secret injection using annotations, the user must supply:
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- one or more _secret_ annotations, and
|
|
|
|
- the Vault role used to access those secrets.
|
2019-12-18 18:44:14 +00:00
|
|
|
|
|
|
|
The annotation must have the format:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
vault.hashicorp.com/agent-inject-secret-<unique-name>: /path/to/secret
|
|
|
|
```
|
|
|
|
|
|
|
|
The unique name will be the filename of the rendered secret and must be unique if
|
2020-01-18 00:18:09 +00:00
|
|
|
multiple secrets are defined by the user. For example, consider the following
|
2019-12-18 18:44:14 +00:00
|
|
|
secret annotations:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
vault.hashicorp.com/agent-inject-secret-foo: database/roles/app
|
|
|
|
vault.hashicorp.com/agent-inject-secret-bar: consul/creds/app
|
2020-01-18 00:18:09 +00:00
|
|
|
vault.hashicorp.com/role: 'app'
|
2019-12-18 18:44:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
The first annotation will be rendered to `/vault/secrets/foo` and the second
|
|
|
|
annotation will be rendered to `/vault/secrets/bar`.
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
It's possible to set the file format of the using the annotation. For example the
|
2019-12-18 18:44:14 +00:00
|
|
|
following secret will be rendered to `/vault/secrets/foo.txt`:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
vault.hashicorp.com/agent-inject-secret-foo.txt: database/roles/app
|
2020-01-18 00:18:09 +00:00
|
|
|
vault.hashicorp.com/role: 'app'
|
2019-12-18 18:44:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
The secret unique name must consist of alphanumeric characters, `.`, `_` or `-`.
|
|
|
|
|
|
|
|
##### Secret Templates
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
~> Vault Agent uses the Consul Template project to render secrets. For more information
|
|
|
|
on writing templates, see the [Consul Template documentation](https://github.com/hashicorp/consul-template).
|
2019-12-18 18:44:14 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
How the secret is rendered to the file is also configurable. To configure the template
|
2019-12-18 18:44:14 +00:00
|
|
|
used, the user must supply a _template_ annotation using the same unique name of
|
2020-01-18 00:18:09 +00:00
|
|
|
the secret. The annotation must have the following format:
|
2019-12-18 18:44:14 +00:00
|
|
|
|
|
|
|
```yaml
|
|
|
|
vault.hashicorp.com/agent-inject-template-<unique-name>: |
|
|
|
|
<
|
|
|
|
TEMPLATE
|
|
|
|
HERE
|
|
|
|
>
|
|
|
|
```
|
|
|
|
|
|
|
|
For example, consider the following:
|
|
|
|
|
|
|
|
```yaml
|
2020-01-18 00:18:09 +00:00
|
|
|
vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app'
|
2019-12-18 18:44:14 +00:00
|
|
|
vault.hashicorp.com/agent-inject-template-foo: |
|
|
|
|
{{- with secret "database/creds/db-app" -}}
|
|
|
|
postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable
|
|
|
|
{{- end }}
|
2020-01-18 00:18:09 +00:00
|
|
|
vault.hashicorp.com/role: 'app'
|
2019-12-18 18:44:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
The rendered secret would look like this within the container:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
$ cat /vault/secrets/foo
|
|
|
|
postgres://v-kubernet-pg-app-q0Z7WPfVN:A1a-BUEuQR52oAqPrP1J@postgres:5432/mydb?sslmode=disable
|
|
|
|
```
|
|
|
|
|
|
|
|
~> The default left and right template delimiters are `{{` and `}}`.
|
|
|
|
|
|
|
|
If no template is provided the following generic template is used:
|
|
|
|
|
|
|
|
```
|
|
|
|
{{ with secret "/path/to/secret" }}
|
|
|
|
{{ range $k, $v := .Data }}
|
|
|
|
{{ $k }}: {{ $v }}
|
|
|
|
{{ end }}
|
|
|
|
{{ end }}
|
|
|
|
```
|
|
|
|
|
|
|
|
For example, the following annotation will use the default template to render
|
|
|
|
PostgreSQL secrets found at the configured path:
|
|
|
|
|
|
|
|
```yaml
|
2020-01-18 00:18:09 +00:00
|
|
|
vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/pg-app'
|
|
|
|
vault.hashicorp.com/role: 'app'
|
2019-12-18 18:44:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
The rendered secret would look like this within the container:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
$ cat /vault/secrets/foo
|
|
|
|
password: A1a-BUEuQR52oAqPrP1J
|
|
|
|
username: v-kubernet-pg-app-q0Z7WPfVNqqTJuoDqCTY-1576529094
|
|
|
|
```
|
|
|
|
|
2020-03-05 16:21:01 +00:00
|
|
|
~> Some secrets such as KV are stored in maps. Their data can be accessed using `.Data.data.<NAME>`
|
|
|
|
|
2019-12-18 18:44:14 +00:00
|
|
|
#### Vault Agent Configuration Map
|
|
|
|
|
|
|
|
For advanced use cases, it may be required to define Vault Agent configuration
|
2020-01-18 00:18:09 +00:00
|
|
|
files to mount instead of using secret and template annotations. The Vault Agent
|
2019-12-18 18:44:14 +00:00
|
|
|
Injector supports mounting ConfigMaps by specifying the name using the `vault.hashicorp.com/agent-configmap`
|
2020-01-18 00:18:09 +00:00
|
|
|
annotation. The configuration files will be mounted to `/vault/configs`.
|
2019-12-18 18:44:14 +00:00
|
|
|
|
|
|
|
The configuration map must contain either one or both of the following files:
|
|
|
|
|
2020-03-27 16:12:51 +00:00
|
|
|
- **config-init.hcl** used by the init container. This must have `exit_after_auth` set to `true`.
|
|
|
|
- **config.hcl** used by the sidecar container. This must have `exit_after_auth` set to `false`.
|
2019-12-18 18:44:14 +00:00
|
|
|
|
2020-01-22 20:05:41 +00:00
|
|
|
An example of mounting a Vault Agent configmap [can be found here](/docs/platform/k8s/injector/examples#configmap-example).
|
2020-03-30 21:35:08 +00:00
|
|
|
|
|
|
|
## Learn
|
|
|
|
|
|
|
|
Refer to the [Injecting Secrets into Kubernetes Pods via Vault Helm
|
|
|
|
Sidecar](https://learn.hashicorp.com/vault/getting-started-k8s/sidecar) guide
|
|
|
|
for a step-by-step tutorial.
|