How to inject vault and consume hashicorp vault secrets?
If you want to inject the vault secret into the deployment pod what you can do
There is one great project on Github Vault-CRD in java: https://github.com/DaspawnW/vault-crd
Vault CRD for sharing Vault Secrets with Kubernetes. It injects & sync values from Vault to Kubernetes secret. You can use these secrets as environment variables inside pod.
the flow goes something like : vault to Kubernetes secret > and that secrets get injected into deployment using YAML same as configmap
apart from this there is also another nice method of sidecar pattern.
for that, there is a very nice tutorial: https://github.com/hashicorp/hands-on-with-vault-on-kubernetes
another one : https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar
I vaguely recall facing a similar problem while consuming secrets from vault using agent injector pattern. Though I didn't dig too deep into why it wasn't working but figured an easy way around. Would configuration like below help you maybe?
... annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "app-role" vault.hashicorp.com/agent-inject-status: "update" vault.hashicorp.com/agent-inject-secret-pg.env: "secret/data/pg" vault.hashicorp.com/agent-inject-template-pg.env: | {{- with secret "secret/data/pg" -}} postgres://{{ .Data.data.user }}:{{ .Data.data.password }}@{{ .Data.data.host }}:{{ .Data.data.port }}/wizard?sslmode=disable {{- end }} ... spec: serviceAccountName: app...args: - echo set env variable(s); export POSTGRES_CONN_STRING=$(cat /vault/secrets/pg.env) ...
We use the similar approach for setting mongodb connecting string and a few others. Works just fine for us.