Vault-kubernetes-initcontainer is a small application that runs as an Init Container in Kubernetes to authenticate with Vault using Kubernetes auth method. Vault can run inside or outside kubernetes cluster.

Vault-kubernetes-initcontainer runs as an Init Container to do below stuff,

1. Retrieve the Client token from Vault presenting a Service token of Pod and a Role it can assume.

2. Retrieve secrets from Vault from a specified path

3. Place the secret grabbed into a shared volume which can be used by all other App containers running in same Pod like below. It can retreive a secret file or secret variables and Apps can use it accordingly.

• VAULT_URL : Address to the Vault server, including the protocol and port (like https://vault.default.svc.cluster.local:8200)
• VAULT_ROLE : Vault role that Application can assume for authentication.
• VAULT_SECRET_PATH : Path in Vault form where secrets have to be fetched
• VAULT_SKIP_VERIFY : To skip SSL validation while connecting to Vault. (Boolean : True/False) Certs will be taken from /etc/tls/ca.crt if set to True
• VAULT_K8S_ENDPOINT: Path where Kubernetes auth method is enabled (ex : kubernetes-stage-cluster) . Helps when 1 vault is connected to multiple k8s clusters. If no value is passed ,it is be set to default k8s auth path "kubernetes".
• SECRET_TARGET_PATH: Path in Pod Volumes where secrets have to stored
• SECRET_TARGET_FILE: Name of the file to store secret in above location
• SECRET_TYPE : {file / Variables} Indicates whether secrets in Vault is a file or individual Variables

Serive Account tokens are grabbed from default path: /var/run/secrets/kubernetes.io/serviceaccount/token

Certs taken from /etc/tls/ca.crt ,assuming its mounted to Pod as Volume if VAULT_SKIP_VERIFY is not set.

Sample properties file in repo.

For passing above parameters to Init container in a more secure way is to create a Secret in K8s like below with above properties and pass the secret to Pod to inject environment variables.

kubectl create secret generic vault-services-properties --from-env-file=./vault.properties 

apiVersion: v1 kind: Pod metadata: name: vault-secret-management spec: initContainers: # Init Container - name: vault-init-container image: {image from repo}  imagePullPolicy: Always envFrom: # Environment variables needed for vault authentication injected from secret.  - secretRef: name: vault-services-properties  volumeMounts: # path to store the secrets after fetched from vault (Ex: /opt/config) - name: data mountPath: /opt/ # certs path if passing ,else can be skipped by setting property VAULT_SKIP_VERIFY - name: certs mountPath: /etc/tls containers: # Application Container 1 - name: App1 image: {Application Image}  volumeMounts: # App reads secret file from the same Volume which is mounted by Init container above - name: data mountPath: /opt/ subPath: config # Application Container 2 - name: App2 image: {Application Image}  command: - "sh" - "-c" - >  source /opt/config;  ./app.sh; # App startup script  volumeMounts: # App sources secret file from the same Volume which is mounted by Init container above - name: data mountPath: /opt/ subPath: config volumes: - name: data emptyDir: {} - name: certs secret: secretName: certs # certs for authenticating with Vault .