fix(deployment): add vault agent at initContainer (#6)

Consensys · Jul 7, 2021 · e9f6ac6 · e9f6ac6
1 parent 0cebff3
commit e9f6ac6
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/templates/configmap-vault-agent.yaml b/templates/configmap-vault-agent.yaml
@@ -9,6 +9,23 @@ metadata:
   annotations:
     {{- include "quorumkeymanager.annotations" . | nindent 4 }}
 data:
+  init-agent-config.hcl: |
+    exit_after_auth = true
+    auto_auth {
+      method "kubernetes" {
+        mount_path = "auth/kubernetes"
+        config = {
+          role = "{{ .Values.vaultAgent.role }}"
+        }
+      }
+      sink "file" {
+        wrap_ttl = "{{ .Values.vaultAgent.config.wrapTTL }}"
+        config = {
+          path = "/vault/token/.vault-token"
+          mode = 0666
+        }
+      }
+    }
   agent-config.hcl: |
     auto_auth {
       method "kubernetes" {

diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -33,12 +33,39 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       # to avoid "not found" token issue at start
       initContainers:
+        {{- if .Values.vaultAgent.enabled }}
         - name: init-token
-          image: "alpine:3.14.0"
-          command: ["touch", "/vault/token/.vault-token"]
+          securityContext:
+            capabilities:
+              add:
+              - IPC_LOCK
+          image: "{{ .Values.vaultAgent.image.repository }}:{{ .Values.vaultAgent.image.tag }}"
+          args:
+            - "agent"
+            - "-config"
+            - "/vault/config/init-agent-config.hcl"
+          env:
+            - name: SKIP_CHOWN
+              value: "true"
+          {{- if or .Values.environment .Values.environmentSecrets }}
+          envFrom:
+            {{- if .Values.environment }}
+            - configMapRef:
+                name: {{ include "quorumkeymanager.fullname" . }}-envmap
+                optional: true
+            {{- end }}
+            {{- if .Values.environmentSecrets }}
+            - secretRef:
+                name: {{ include "quorumkeymanager.fullname" . }}-secretmap
+                optional: true
+            {{- end }}
+          {{- end }}
           volumeMounts:
             - name: vault-token
               mountPath: /vault/token
+            - name: vault-config
+              mountPath: /vault/config
+        {{- end }}
       containers:
         {{- if .Values.vaultAgent.enabled }}
         - name: vault-agent