How to use secrets created via Hashicorp VAULT on Kubernetes pods

Question

I am preparing an application to production. Topic I want help with is using the secret values I created on vault. I inject my secrets on a pod but I don't know how to reach them. I am using helm charts for my entire application and have 8 microservices.

Here I can read my injected secrets for TESTING on my vault pod which is deployed as an helm chart;

Key Value

---

refresh_interval 768h password sUp3rS3cUr3P@ssw0rd username dbuser

I wonder how to use my "password" on one of my microservice yaml for my application.

Answer 1

Since you are injecting your secrets to the pod, you should be able to know what is the path in which the secrets are located in, and what are the secret's files names.

If that is the case, you can expose an ENV variable SECRETS_DIR_PATH via ConfigMap which will contain the path to your secrets directory in your pod, e.g:

apiVersion: v1
kind: ConfigMap
..
data:
  SECRETS_DIR_PATH: "/mnt/store/<appName>/secrets"

Once you have exposed this ENV variable, you could use it in your application and read the secret file. Example (using java Dotnev)

var secretsDirPath = dotenv.get(SECRETS_DIR_PATH);
var secrets = Secrets.create(secretsDirPath);
var mySecret = secrets.getSecret("mySecret")

This example assumes you have a Secrets package that manages the reading and fetching of your secrets. Of course you can simply read them as a file. An advantage to having a package manage the secrets is you can perform caching and make sure your secrets are always fresh.