Open in app

Sign in

Write

Sign in

Hashicorp Vault restart pods when key changed in Kubernetes

Jamal Shahverdiev
2 min readNov 14, 2022

--

In this article I will show the way how to automatically restart all pods in your deployment when secret value changed in predefined secret path. Hashicorp Vault deployed with HA mode (configured autounseal) and GC bucket backend. For authentication integrated with GitHub and Google OIDC. To get secrets inside of pods I use here vault-agent sidecar container with annotations. It looks like as following:

sidecar.istio.io/inject: "true"
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/auth-path: "auth/kubernetes"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "company"
vault.hashicorp.com/agent-inject-secret-config: "company/account-service"
vault.hashicorp.com/log-level: "debug"
vault.hashicorp.com/template-static-secret-render-interval: "2m"
vault.hashicorp.com/agent-inject-template-config: |
  {{- with secret "company/some-service" -}}
      export AUTH_PASSWORD="{{ .Data.data.AUTH_PASSWORD }}"
      export SERVICE_PASSWORD="{{ .Data.data.SERVICE_PASSWORD }}"
      export AUTH_USERNAME="{{ .Data.data.AUTH_USERNAME }}"
      export SECRET_KEY_BASE="{{ .Data.data.SECRET_KEY_BASE }}"
  {{- end }}

From the previous annotations we can understand our deployment will use auth/kubernetes method to authenticate to Vault service with role company and serviceAccount (It is configured inside of hashicorp vault to give access for this namespace and serviceAccount). All secret values defined in Hashicorp Vault path company/some-service will be added to file /vaut/secrets/config file (comes from this annotation vault.hashicorp.com/agent-inject-secret-config) inside of the container. It will work wonderful but if you will change some value of existing key then pods will not be restarted. To achieve this I went to official page of Hashicorp Vault and found vault.hashicorp.com/agent-inject-command annotation (Hasicorp Vault Image annotation). Then I went to look at the logs of vault-agent-injector pod to see mutation happening when I am changing the secret in Vault(it works). All code files which I have used in this GitHub repository.

Note: shareProcessNamespace: true must be defined inside of your deployment.

I simulate all flow in the following video. I hope it will be useful.

Vault
Restart
Deployment
Kubernetes
Secrets

--

--

Jamal Shahverdiev
Jamal Shahverdiev

Written by Jamal Shahverdiev

107 Followers
5 Following

Senior DevOps engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams