I am using the OAuth2-Proxy helm chart which is authenticating using an external oidc provider, along with Vault to store the secrets. Now, in order to pass it the client-id & client-secret secrets stored in Vault, I followed this link -
This shows how to add these secrets as env vars in a container, but OAuth2-Proxy needs these variables to start in the first place (They are passed as args to the docker image's entrypoint). I also tried adding the source command to the postStart lifecycle method but that also gives the following error -
Exec lifecycle hook ([sh -c source /vault/secrets/oidc.sh]) for Container "oauth2-proxy" in Pod "oauth2-proxy-f6c8f7b69-kgjws_istio-system(7e488c12-2964-496f-a658-47739fcf3695)" failed - error: command 'sh -c source /vault/secrets/oidc.sh' exited with 126: , message: "OCI runtime exec failed: exec failed: cannot exec a container that has stopped: unknown\r\n" I think this is because the docker image's entry-point requires those env vars and the container dies off as soon as that command fails. Is there any other approach for doing this?
31 Answer
Here is a way to inject vault secrets into the k8s pod as ENV vars using vault Agent Injector method
First A template should be created that exports a Vault secret as an environment variable.
spec: template: metadata: annotations: # Environment variable export template | {{ with secret "secret/data/web" -}} export api_key="{{ .Data.data.payments_api_key }}" {{- end }} And the application container should source those files during startup.
args: ['sh', '-c', 'source /vault/secrets/config && <entrypoint script>']