Hashicorp Vault Agent Injector: base64 decoding secrets using ''agent-inject-command' annotation

Question

I’m injecting a base64 encoded truststore file into my container and then using the ‘agent-inject-command’ annotation in an attempt to decode the secret and write it to a file. Here is a snippet of my k8s manifest:

vault.hashicorp.com/agent-inject-secret-truststore-jks: "secret/directory/truststore_jks"
vault.hashicorp.com/agent-inject-file-truststore-jks: b64.truststore.jks
vault.hashicorp.com/secret-volume-path-truststore-jks: /home
vault.hashicorp.com/agent-inject-command-truststore-jks-truststore-jks: /bin/bash -c "base64 -d /home/b64.truststore.jks > /home/truststore.jks"

The result is that the encoded version is injected to the file, but the command does not run successfully, thus the decoded version does not exist in the container.

I've been able to run the base64 -d command on it's own with this method (as well as some other commands) but the problem only appears when redirecting or chaining commands.

Any insight on the correct way to do this or an alternate approach to reach the same goal would be greatly appreciated.

Answer 1

Found an alternate method using Vault Agent Templates, specifically the base64Decode function from their Consul Templating engine.

The relevant configuration used to inject the decoded secret was as follows:

vault.hashicorp.com/agent-inject-secret-truststore-jks: "secret/path/to/secret/truststore_jks"
vault.hashicorp.com/agent-inject-file-truststore-jks: truststore.jks
vault.hashicorp.com/secret-volume-path-truststore-jks: /home
vault.hashicorp.com/agent-inject-template-truststore-jks: |
  {{- with secret "secret/path/to/secret" -}}
  {{ base64Decode .Data.data.truststore_jks }}
  {{-  end }}