Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
524 views
in Technique[技术] by (71.8m points)

Hashicorp Vault Agent Injector: base64 decoding secrets using ''agent-inject-command' annotation

I’m injecting a base64 encoded truststore file into my container and then using the ‘agent-inject-command’ annotation in an attempt to decode the secret and write it to a file. Here is a snippet of my k8s manifest:

vault.hashicorp.com/agent-inject-secret-truststore-jks: "secret/directory/truststore_jks"
vault.hashicorp.com/agent-inject-file-truststore-jks: b64.truststore.jks
vault.hashicorp.com/secret-volume-path-truststore-jks: /home
vault.hashicorp.com/agent-inject-command-truststore-jks-truststore-jks: /bin/bash -c "base64 -d /home/b64.truststore.jks > /home/truststore.jks"

The result is that the encoded version is injected to the file, but the command does not run successfully, thus the decoded version does not exist in the container.

I've been able to run the base64 -d command on it's own with this method (as well as some other commands) but the problem only appears when redirecting or chaining commands.

Any insight on the correct way to do this or an alternate approach to reach the same goal would be greatly appreciated.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Found an alternate method using Vault Agent Templates, specifically the base64Decode function from their Consul Templating engine.

The relevant configuration used to inject the decoded secret was as follows:

vault.hashicorp.com/agent-inject-secret-truststore-jks: "secret/path/to/secret/truststore_jks"
vault.hashicorp.com/agent-inject-file-truststore-jks: truststore.jks
vault.hashicorp.com/secret-volume-path-truststore-jks: /home
vault.hashicorp.com/agent-inject-template-truststore-jks: |
  {{- with secret "secret/path/to/secret" -}}
  {{ base64Decode .Data.data.truststore_jks }}
  {{-  end }}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...