How to add vault secrets to kubernetes env vars?

Question

I am using the OAuth2-Proxy helm chart which is authenticating using an external oidc provider, along with Vault to store the secrets. Now, in order to pass it the client-id & client-secret secrets stored in Vault, I followed this link - https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example

This shows how to add these secrets as env vars in a container, but OAuth2-Proxy needs these variables to start in the first place (They are passed as args to the docker image's entrypoint). I also tried adding the source command to the postStart lifecycle method but that also gives the following error -

Exec lifecycle hook ([sh -c source /vault/secrets/oidc.sh]) for Container "oauth2-proxy" in Pod "oauth2-proxy-f6c8f7b69-kgjws_istio-system(7e488c12-2964-496f-a658-47739fcf3695)" failed - error: command 'sh -c source /vault/secrets/oidc.sh' exited with 126: , message: "OCI runtime exec failed: exec failed: cannot exec a container that has stopped: unknown\r\n"

I think this is because the docker image's entry-point requires those env vars and the container dies off as soon as that command fails. Is there any other approach for doing this?

Answer 1

Here is a way to inject vault secrets into the k8s pod as ENV vars using vault Agent Injector method

First A template should be created that exports a Vault secret as an environment variable.

spec:   template:
    metadata:
      annotations:
        # Environment variable export template
        vault.hashicorp.com/agent-inject-template-config: |
          {{ with secret "secret/data/web" -}}
            export api_key="{{ .Data.data.payments_api_key }}"
          {{- end }}

And the application container should source those files during startup.

args:
  ['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']