Add annotation to copy volume mounts from existing container #212
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
Add test Add copy volume mount test Extract copyVolumeMount logic Signed-off-by: Pierce Bartine <piercebartine@gmail.com>
There was a problem hiding this comment.
Hi @pbar1, thanks for the contribution, this looks great! I took it for a spin and it works as described and have no comments on the implementation.
One thing I would ask before merging, I think we'll need a handler test case for this. The side effect of this annotation on the agents should result in volume JSON patches, so we'll want to test that is the case. Take a look at the handler test cases and let me know if you have any questions.
|
Sure, I've just added another test case for the handler, in which the CopyVolumeMounts annotation is specified. |
|
Thank you! |
|
Guys, this is awesome and perfect timing; I just realized I need this for a use case and it was just released yesterday! :) |
jfroche
added a commit
to jfroche/vault-k8s
that referenced
this pull request
Feb 15, 2021
We currently have two options to define vault agent templates: either define the template configuration as an inline template in the annotation or configure the vault agent directly. The former is really not handy when template is getting complex, the latter forces us to manage the whole vault agent configuration. We add a new annotation that enables the vault agent to inject secrets from a template file on the container disk. Since hashicorp#212, this template can be present in volume defined on the container. Annotation example: ```yaml vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app' vault.hashicorp.com/agent-inject-template-source-foo: '/etc/my-app/config.toml.tmpl' vault.hashicorp.com/agent-inject-file-foo: '/etc/my-app/config.toml', vault.hashicorp.com/agent-copy-volume-mounts: 'MyContainerNameWithVolumes' ``` If a template content is also defined in annotation (using `vault.hashicorp.com/agent-inject-template`, the template on disk won't be used. refs hashicorp#84
jfroche
added a commit
to jfroche/vault-k8s
that referenced
this pull request
Mar 30, 2021
We currently have two options to define vault agent templates: either define the template configuration as an inline template in the annotation or configure the vault agent directly. The former is really not handy when template is getting complex, the latter forces us to manage the whole vault agent configuration. We add a new annotation that enables the vault agent to inject secrets from a template file on the container disk. Since hashicorp#212, this template can be present in volume defined on the container. Annotation example: ```yaml vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app' vault.hashicorp.com/agent-inject-template-file-foo: '/etc/my-app/config.toml.tmpl' vault.hashicorp.com/agent-inject-file-foo: '/etc/my-app/config.toml', vault.hashicorp.com/agent-copy-volume-mounts: 'MyContainerNameWithVolumes' ``` If a template content is also defined in annotation (using `vault.hashicorp.com/agent-inject-template`, the template on disk won't be used. refs hashicorp#84
jfroche
added a commit
to jfroche/vault-k8s
that referenced
this pull request
Mar 30, 2021
We currently have two options to define vault agent templates: either define the template configuration as an inline template in the annotation or configure the vault agent directly. The former is really not handy when template is getting complex, the latter forces us to manage the whole vault agent configuration. We add a new annotation that enables the vault agent to inject secrets from a template file on the container disk. Since hashicorp#212, this template can be present in volume defined on the container. Annotation example: ```yaml vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app' vault.hashicorp.com/agent-inject-template-file-foo: '/etc/my-app/config.toml.tmpl' vault.hashicorp.com/agent-inject-file-foo: '/etc/my-app/config.toml', vault.hashicorp.com/agent-copy-volume-mounts: 'MyContainerNameWithVolumes' ``` If a template content is also defined in annotation (using `vault.hashicorp.com/agent-inject-template`, the template on disk won't be used. refs hashicorp#84
jasonodonnell
pushed a commit
that referenced
this pull request
Apr 5, 2021
We currently have two options to define vault agent templates: either define the template configuration as an inline template in the annotation or configure the vault agent directly. The former is really not handy when template is getting complex, the latter forces us to manage the whole vault agent configuration. We add a new annotation that enables the vault agent to inject secrets from a template file on the container disk. Since #212, this template can be present in volume defined on the container. Annotation example: ```yaml vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app' vault.hashicorp.com/agent-inject-template-file-foo: '/etc/my-app/config.toml.tmpl' vault.hashicorp.com/agent-inject-file-foo: '/etc/my-app/config.toml', vault.hashicorp.com/agent-copy-volume-mounts: 'MyContainerNameWithVolumes' ``` If a template content is also defined in annotation (using `vault.hashicorp.com/agent-inject-template`, the template on disk won't be used. refs #84
RemcoBuddelmeijer
pushed a commit
to RemcoBuddelmeijer/vault-k8s
that referenced
this pull request
Feb 22, 2022
…rp#212) * Add annotation to copy volumeMounts from container Add test Add copy volume mount test Extract copyVolumeMount logic Signed-off-by: Pierce Bartine <piercebartine@gmail.com> * Add handler test for CopyVolumeMounts
RemcoBuddelmeijer
pushed a commit
to RemcoBuddelmeijer/vault-k8s
that referenced
this pull request
Feb 22, 2022
We currently have two options to define vault agent templates: either define the template configuration as an inline template in the annotation or configure the vault agent directly. The former is really not handy when template is getting complex, the latter forces us to manage the whole vault agent configuration. We add a new annotation that enables the vault agent to inject secrets from a template file on the container disk. Since hashicorp#212, this template can be present in volume defined on the container. Annotation example: ```yaml vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app' vault.hashicorp.com/agent-inject-template-file-foo: '/etc/my-app/config.toml.tmpl' vault.hashicorp.com/agent-inject-file-foo: '/etc/my-app/config.toml', vault.hashicorp.com/agent-copy-volume-mounts: 'MyContainerNameWithVolumes' ``` If a template content is also defined in annotation (using `vault.hashicorp.com/agent-inject-template`, the template on disk won't be used. refs hashicorp#84
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces the following annotation:
vault.hashicorp.com/agent-copy-volume-mounts, whose value is expected to be the name of container (or init container) in the original pod spec whose volume mounts are to be copied into the Vault Agent init/sidecar containers. Volume mounts whose paths include the stringserviceaccountare ignored so we don't end up copying K8s service account token mounts (ie,/var/run/secrets/kubernetes.io/serviceaccount).The reasoning behind this feature: We inject all pods with X.509 certs via SPIFFE at runtime that end up in
emptyDirvolumes. We'd like to use the Vault Agent Auto-Auth Cert Method with these certs; our Vaults already require mTLS and use the TLS Certificates Auth Method against this PKI, so having these volumes mounted to the Vault Agent's init and sidecar containers is required.Regarding Auto-Auth via the Cert Method - I've got a separate branch that generalizes the injector to support all Auth Methods (#213). We're currently successfully running a build of the injector with these features in our dev environment.
Let me know how I can help to get this merged. Thanks! ☄️