哈希科普金库秘密不是在库伯内特斯获得的

Question

我在保险库中创建了一些秘密，我正在传递如下的变量。但秘密是不可信的。

annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-vault-addr: 'https://vaultadd.com'
        vault.hashicorp.com/auth-type: 'approle'
        vault.hashicorp.com/auth-path: 'auth/approle'
        vault.hashicorp.com/auth-config-role-id-file-path: '/vault/custom/role-id'
        vault.hashicorp.com/auth-config-secret-id-file-path: '/vault/custom/secret-id'
        vault.hashicorp.com/agent-extra-secret: 'mysecret'
        vault.hashicorp.com/role: 'myrole'
        vault.hashicorp.com/auth-config-remove_secret_id_file_after_reading: 'false'
        vault.hashicorp.com/log-level: 'debug'
        vault.hashicorp.com/agent-inject-secret-MY-SECRET: 'secret/mysecret/secrets'
        vault.hashicorp.com/agent-inject-template-MY-SECRET: |
             {{ with secret "secret/mysecret/secrets" -}}
               export username={{ .Data.username}}
               export password={{ .Data.password }}
             {{- end }}

在Args中，我在下面提到过

args:
            ["sh", "-c", "source /vault/secrets/config && MY_ENTRYPOINT"]

Answer 1

请使用环境变量注释而不是文件模板注释。

请按以下方式更改注释

vault.hashicorp.com/agent-inject-secret-config: 'secret/mysecret/secrets'
vault.hashicorp.com/agent-inject-template-config: |
             {{ with secret "secret/mysecret/secrets" -}}
               export username={{ .Data.username}}
               export password={{ .Data.password }}
             {{- end }}

Answer 2

如果您使用的是最新的KV2，则该秘密的路径是<KV2-root-path>/data/<path-within-the-kv2>。

因此，如果您的KV2被称为secret，那么：... with secret secret/data/mysecret/secrets ...

保险库探员的侧位注射了吗？有原木吗？