[Kuberenetes] Vault issue - No such file or directory

tommyHicks · May 17, 2022, 8:43pm

Hello

I was trying to inject vault secrets inside pod environment, here is what is my deployment -

kind: Deployment
metadata:
 name: myservicepod7
 labels:
  app: servicepod
spec:
 replicas: 1
 selector: 
  matchLabels:
   app: servicepod
 template:
  metadata:
    annotations:
        [vault.hashicorp.com/agent-inject](http://vault.hashicorp.com/agent-inject): 'true'
        [vault.hashicorp.com/role](http://vault.hashicorp.com/role): 'internal-app'
        [vault.hashicorp.com/agent-inject-secret-database-config](http://vault.hashicorp.com/agent-inject-secret-database-config): 'internal/data/database/config'
        [vault.hashicorp.com/agent-inject-template-config](http://vault.hashicorp.com/agent-inject-template-config): |
          {{ with secret "internal/data/database/config" -}}
            export username="{{ .Data.username }}"
          {{- end }}
    labels:
     app: servicepod
  spec:
   serviceAccountName: internal-app
   volumes:
   - name: hostvolume
     hostPath:
      path: /var/www/html
   containers:
   - name: php
     image: php:7.2-apache
     command: ["/bin/bash", "-c"]
     args: ['source /vault/secrets/database-config &amp;&amp; sleep infinity']
     workingDir: /var/www/html
     ports:
      - name: serviceport
        containerPort: 80 
     volumeMounts: 
      - name: hostvolume
        mountPath: /var/www/html```
So when I try to check the logs, I see this error -

```/vault/secrets/database-config: line 1: data:: command not found
/vault/secrets/database-config: line 2: nil: No such file or directory```
Can anyone shed some light?

kPate · May 17, 2022, 10:11pm

Never used vault, but…

Those errors come from the script /vault/secrets/database-config, right? So you do have it mounted and being executed, but it doesn’t seem to be a valid script. Trying to call a command data: or something.

tommyHicks · May 17, 2022, 11:01pm

Yes, so these are the contents -

metadata: map[created_time:2022-05-09T09:16:26.42025909Z custom_metadata:&lt;nil&gt; deletion_time: destroyed:false version:1]```

tommyHicks · May 18, 2022, 12:44am

This is the file created by vault, I just added username and password entry inside kv (Key value pairs in vault)

kPate · May 18, 2022, 2:35am

That is a stringified golang struct. I assume it’s the .Data struct from which you tried to print only .Data.username into the template.

It’s clear that the file contents don’t match the template you provided (e.g. don’t contain export username=). I don’t know why this is because never used Vault. Make sure to check that you’re using the latest version, etc.

kPate · May 18, 2022, 3:00am

Reading https://www.vaultproject.io/docs/platform/k8s/injector/annotations…

I think the problem is a mismatch between your annotations:

[vault.hashicorp.com/agent-inject-template-config](http://vault.hashicorp.com/agent-inject-template-config)```
One has `database-config`, one has just `config`.

kPate · May 18, 2022, 4:19am

> • [vault.hashicorp.com/agent-inject-template](http://vault.hashicorp.com/agent-inject-template) - configures the template Vault Agent should use for rendering a secret. The name of the template is any unique string after [vault.hashicorp.com/agent-inject-template-](http://vault.hashicorp.com/agent-inject-template-), such as [vault.hashicorp.com/agent-inject-template-foobar](http://vault.hashicorp.com/agent-inject-template-foobar). This should map to the same unique value provided in [vault.hashicorp.com/agent-inject-secret-](http://vault.hashicorp.com/agent-inject-secret-). If not provided, a default generic template is used.
> •
> •
>

tommyHicks · May 18, 2022, 4:26am

Oh!, you are life saver.

Seriously it worked pefectly. Really very nice observation. Thanks for responding.

tommyHicks · May 18, 2022, 5:59am

, One more thing if you can help me out, everything is working fine but when I added source command for the file inside args, it did not executed, meaning when I try ‘env’, i see no variable was there.

But note: If I try to do source <configfilename> manually inside the pod, I can successfully set the variable inside envrionment variable. So can you suggest me something?

This is the argument I am using

args: ["-c", ‘source /vault/secrets/config && sleep infinity’]

Ideally from this doc- we should use entrypoint script - but I used sleep infinity,

https://www.vaultproject.io/docs/platform/k8s/injector/examples