open-vault/website/source/docs/platform/k8s/injector/examples.html.md

---
layout: "docs"
page_title: "Vault Agent Sidecar Injector Examples"
sidebar_current: "docs-platform-k8s-injector-examples"
sidebar_title: "Examples"
description: |-
  This section documents examples of using the Vault Agent Injector.
---

# Vault Agent Injector Examples

The following are different configuration examples to support a variety of
deployment models.

~> A common mistake is to set the annotation on the Deployment or other resource.
  Ensure that the injector annotations are specified on the pod specification when 
  using higher level constructs such as deployments, jobs or statefulsets.

## Before Using the Vault Agent Injector

Before applying Vault Agent injection annotations to pods, the following requirements
should be satisfied:

* Kubernetes auth method should be configured and enabled in Vault,
* Pod should have a service account,
* desired secrets exist within Vault,
* the service account should be bound to a Vault role with a policy enabling access to desired secrets.

For more information on configuring the Vault Kubernetes auth method,
[see the official documentation](/docs/auth/kubernetes.html#configuration).

## Debugging

If an error occurs with a mutation request, Kubernetes will attach the error to the 
owner of the pod.  Check the following for errors:

* If the pod was created by a deployment or statefulset, check for errors in the `replicaset`
  that owns the pod.
* If the pod was created by a job, check the `job` for errors.

## Patching Existing Pods

To patch existing pods, a Kubernetes patch can be applied to add the required annoations
to pods.  When applying a patch, the pods will be rescheduled.

First, create the patch:

```bash
cat <<EOF >> ./patch.yaml
spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: "update"
        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
        vault.hashicorp.com/agent-inject-template-db-creds: |
          {{- with secret "database/creds/db-app" -}}
          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable
          {{- end }}
        vault.hashicorp.com/role: "db-app"
        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
        vault.hashicorp.com/client-cert: "/vault/tls/client.crt"
        vault.hashicorp.com/client-key: "/vault/tls/client.key"
        vault.hashicorp.com/tls-secret: "vault-tls-client"
EOF
```

Next, apply the patch:

```bash
kubectl patch deployment <MY DEPLOYMENT> --patch "$(cat patch.yaml)"
```

The pod should now be rescheduled with additional containers.  The pod can be inspected
using the `kubectl describe` command:

```bash
kubectl describe pod <name of pod>
```

## Deployments, StatefulSets, etc.

The annotations for configuring Vault Agent injection must be on the pod
specification. Since higher level resources such as Deployments wrap pod
specification templates, Vault Agent Injector can be used with all of these
higher level constructs, too.

An example Deployment below shows how to enable Vault Agent injection:

```yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-example
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-example-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-example
  template:
    metadata:
      labels:
        app: app-example
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"
        vault.hashicorp.com/agent-inject-template-db-creds: |
          {{- with secret "database/creds/db-app" -}}
          postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable
          {{- end }}
        vault.hashicorp.com/role: "db-app"
        vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
        vault.hashicorp.com/client-cert: "/vault/tls/client.crt"
        vault.hashicorp.com/client-key: "/vault/tls/client.key"
        vault.hashicorp.com/tls-secret: "vault-tls-client"
    spec:
      containers:
        - name:app 
          image: "app:1.0.0"
      serviceAccountName: app-example
```

## ConfigMap Example

The following example creates a deployment that mounts a Kubernetes ConfigMap
containing Vault Agent configuration files.  For a complete list of the Vault
Agent configuration settings, [see the Agent documentation](/docs/agent/template/index.html#vault-agent-templates).

```yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-example
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-example-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-example
  template:
    metadata:
      labels:
        app: app-example
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-configmap: "my-configmap"
        vault.hashicorp.com/tls-secret: "vault-tls-client"
    spec:
      containers:
        - name:app 
          image: "app:1.0.0"
      serviceAccountName: app-example
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: my-configmap
agent-config
    app: app-example
data:
  config.hcl: |
    "auto_auth" = {
      "method" = {
        "config" = {
          "role" = "db-app"
        }
        "type" = "kubernetes"
      }

      "sink" = {
        "config" = {
          "path" = "/home/vault/.token"
        }

        "type" = "file"
      }
    }

    "exit_after_auth" = false
    "pid_file" = "/home/vault/.pid"

    "template" = {
      "contents" = "{{- with secret "database/creds/db-app" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
      "destination" = "/vault/secrets/db-creds"
    }

    "vault" = {
      "address" = "https://vault.demo.svc.cluster.local:8200"
      "ca_cert" = "/vault/tls/ca.crt"
      "client_cert" = "/vault/tls/client.crt"
      "client_key" = "/vault/tls/client.key"
    }
  config-init.hcl: |
    "auto_auth" = {
      "method" = {
        "config" = {
          "role" = "db-app"
        }
        "type" = "kubernetes"
      }

      "sink" = {
        "config" = {
          "path" = "/home/vault/.token"
        }

        "type" = "file"
      }
    }

    "exit_after_auth" = true
    "pid_file" = "/home/vault/.pid"

    "template" = {
      "contents" = "{{- with secret "database/creds/db-app" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
      "destination" = "/vault/secrets/db-creds"
    }

    "vault" = {
      "address" = "https://vault.demo.svc.cluster.local:8200"
      "ca_cert" = "/vault/tls/ca.crt"
      "client_cert" = "/vault/tls/client.crt"
      "client_key" = "/vault/tls/client.key"
    }
```
doc: add agent inject documentation (#8032) * Add agent inject documentation * Update layout * Fix sidebar title * Fix format * Update formating * Updates * Convert table to list * Add remaining doc * Add note about namespace selector * Fix page description * Fix description error, clarify container doc * Fix typos * Update website/source/docs/platform/k8s/injector/index.html.md Co-Authored-By: Clint <catsby@users.noreply.github.com> * Update website/source/docs/platform/k8s/injector/index.html.md Co-Authored-By: Clint <catsby@users.noreply.github.com> * Update website/source/docs/platform/k8s/injector/examples.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update website/source/docs/platform/k8s/injector/examples.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update website/source/docs/platform/k8s/injector/index.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update website/source/docs/platform/k8s/injector/index.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update website/source/docs/platform/k8s/injector/installation.html.md Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update doc from feedback * Update website/source/docs/platform/k8s/helm/configuration.html.md Co-Authored-By: Becca Petrin <beccapetrin@gmail.com> * Update website/source/docs/platform/k8s/helm/configuration.html.md Co-Authored-By: Becca Petrin <beccapetrin@gmail.com> * Update website/source/docs/platform/k8s/helm/configuration.html.md Co-Authored-By: Becca Petrin <beccapetrin@gmail.com> * Update website/source/docs/platform/k8s/helm/configuration.html.md Co-Authored-By: Becca Petrin <beccapetrin@gmail.com> * Update website/source/docs/platform/k8s/helm/configuration.html.md Co-Authored-By: Becca Petrin <beccapetrin@gmail.com> * Update website/source/docs/platform/k8s/helm/configuration.html.md Co-Authored-By: Becca Petrin <beccapetrin@gmail.com> 2019-12-18 18:44:14 +00:00			`---`
			`layout: "docs"`
			`page_title: "Vault Agent Sidecar Injector Examples"`
			`sidebar_current: "docs-platform-k8s-injector-examples"`
			`sidebar_title: "Examples"`
			`description: \|-`
			`This section documents examples of using the Vault Agent Injector.`
			`---`

			`# Vault Agent Injector Examples`

			`The following are different configuration examples to support a variety of`
			`deployment models.`

			`~> A common mistake is to set the annotation on the Deployment or other resource.`
			`Ensure that the injector annotations are specified on the pod specification when`
			`using higher level constructs such as deployments, jobs or statefulsets.`

			`## Before Using the Vault Agent Injector`

			`Before applying Vault Agent injection annotations to pods, the following requirements`
			`should be satisfied:`

			`* Kubernetes auth method should be configured and enabled in Vault,`
			`* Pod should have a service account,`
			`* desired secrets exist within Vault,`
			`* the service account should be bound to a Vault role with a policy enabling access to desired secrets.`

			`For more information on configuring the Vault Kubernetes auth method,`
			`[see the official documentation](/docs/auth/kubernetes.html#configuration).`

			`## Debugging`

			`If an error occurs with a mutation request, Kubernetes will attach the error to the`
			`owner of the pod. Check the following for errors:`

			* If the pod was created by a deployment or statefulset, check for errors in the `replicaset`
			`that owns the pod.`
			* If the pod was created by a job, check the `job` for errors.

			`## Patching Existing Pods`

			`To patch existing pods, a Kubernetes patch can be applied to add the required annoations`
			`to pods. When applying a patch, the pods will be rescheduled.`

			`First, create the patch:`

			```bash
			`cat <<EOF >> ./patch.yaml`
			`spec:`
			`template:`
			`metadata:`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/agent-inject-status: "update"`
			`vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"`
			`vault.hashicorp.com/agent-inject-template-db-creds: \|`
			`{{- with secret "database/creds/db-app" -}}`
			`postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable`
			`{{- end }}`
			`vault.hashicorp.com/role: "db-app"`
			`vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"`
			`vault.hashicorp.com/client-cert: "/vault/tls/client.crt"`
			`vault.hashicorp.com/client-key: "/vault/tls/client.key"`
			`vault.hashicorp.com/tls-secret: "vault-tls-client"`
			`EOF`
			```

			`Next, apply the patch:`

			```bash
			`kubectl patch deployment <MY DEPLOYMENT> --patch "$(cat patch.yaml)"`
			```

			`The pod should now be rescheduled with additional containers. The pod can be inspected`
			using the `kubectl describe` command:

			```bash
			`kubectl describe pod <name of pod>`
			```

			`## Deployments, StatefulSets, etc.`

			`The annotations for configuring Vault Agent injection must be on the pod`
			`specification. Since higher level resources such as Deployments wrap pod`
			`specification templates, Vault Agent Injector can be used with all of these`
			`higher level constructs, too.`

			`An example Deployment below shows how to enable Vault Agent injection:`

			```yaml
			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: app-example`
			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: app-example-deployment`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: app-example`
			`template:`
			`metadata:`
			`labels:`
			`app: app-example`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-app"`
			`vault.hashicorp.com/agent-inject-template-db-creds: \|`
			`{{- with secret "database/creds/db-app" -}}`
			`postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/appdb?sslmode=disable`
			`{{- end }}`
			`vault.hashicorp.com/role: "db-app"`
			`vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"`
			`vault.hashicorp.com/client-cert: "/vault/tls/client.crt"`
			`vault.hashicorp.com/client-key: "/vault/tls/client.key"`
			`vault.hashicorp.com/tls-secret: "vault-tls-client"`
			`spec:`
			`containers:`
			`- name:app`
			`image: "app:1.0.0"`
			`serviceAccountName: app-example`
			```

			`## ConfigMap Example`

			`The following example creates a deployment that mounts a Kubernetes ConfigMap`
			`containing Vault Agent configuration files. For a complete list of the Vault`
			`Agent configuration settings, [see the Agent documentation](/docs/agent/template/index.html#vault-agent-templates).`

			```yaml
			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: app-example`
			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: app-example-deployment`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: app-example`
			`template:`
			`metadata:`
			`labels:`
			`app: app-example`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/agent-configmap: "my-configmap"`
			`vault.hashicorp.com/tls-secret: "vault-tls-client"`
			`spec:`
			`containers:`
			`- name:app`
			`image: "app:1.0.0"`
			`serviceAccountName: app-example`
			`---`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: my-configmap`
			`agent-config`
			`app: app-example`
			`data:`
			`config.hcl: \|`
			`"auto_auth" = {`
			`"method" = {`
			`"config" = {`
			`"role" = "db-app"`
			`}`
			`"type" = "kubernetes"`
			`}`

			`"sink" = {`
			`"config" = {`
			`"path" = "/home/vault/.token"`
			`}`

			`"type" = "file"`
			`}`
			`}`

			`"exit_after_auth" = false`
			`"pid_file" = "/home/vault/.pid"`

			`"template" = {`
			`"contents" = "{{- with secret "database/creds/db-app" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"`
			`"destination" = "/vault/secrets/db-creds"`
			`}`

			`"vault" = {`
			`"address" = "https://vault.demo.svc.cluster.local:8200"`
			`"ca_cert" = "/vault/tls/ca.crt"`
			`"client_cert" = "/vault/tls/client.crt"`
			`"client_key" = "/vault/tls/client.key"`
			`}`
			`config-init.hcl: \|`
			`"auto_auth" = {`
			`"method" = {`
			`"config" = {`
			`"role" = "db-app"`
			`}`
			`"type" = "kubernetes"`
			`}`

			`"sink" = {`
			`"config" = {`
			`"path" = "/home/vault/.token"`
			`}`

			`"type" = "file"`
			`}`
			`}`

			`"exit_after_auth" = true`
			`"pid_file" = "/home/vault/.pid"`

			`"template" = {`
			`"contents" = "{{- with secret "database/creds/db-app" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"`
			`"destination" = "/vault/secrets/db-creds"`
			`}`

			`"vault" = {`
			`"address" = "https://vault.demo.svc.cluster.local:8200"`
			`"ca_cert" = "/vault/tls/ca.crt"`
			`"client_cert" = "/vault/tls/client.crt"`
			`"client_key" = "/vault/tls/client.key"`
			`}`
			```