From e9f6ac6bf57fde39afdb203f8c3653272a4b4a75 Mon Sep 17 00:00:00 2001
From: Christian Tran <christian.trn@gmail.com>
Date: Wed, 7 Jul 2021 16:53:36 +0200
Subject: [PATCH] fix(deployment): add vault agent at initContainer (#6)

---
 templates/configmap-vault-agent.yaml | 17 +++++++++++++++
 templates/deployment.yaml            | 31 ++++++++++++++++++++++++++--
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/templates/configmap-vault-agent.yaml b/templates/configmap-vault-agent.yaml
index 4444ecf..5f1d2d6 100644
--- a/templates/configmap-vault-agent.yaml
+++ b/templates/configmap-vault-agent.yaml
@@ -9,6 +9,23 @@ metadata:
   annotations:
     {{- include "quorumkeymanager.annotations" . | nindent 4 }}
 data:
+  init-agent-config.hcl: |
+    exit_after_auth = true
+    auto_auth {
+      method "kubernetes" {
+        mount_path = "auth/kubernetes"
+        config = {
+          role = "{{ .Values.vaultAgent.role }}"
+        }
+      }
+      sink "file" {
+        wrap_ttl = "{{ .Values.vaultAgent.config.wrapTTL }}"
+        config = {
+          path = "/vault/token/.vault-token"
+          mode = 0666
+        }
+      }
+    }
   agent-config.hcl: |
     auto_auth {
       method "kubernetes" {
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index 382c321..f9b4261 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -33,12 +33,39 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       # to avoid "not found" token issue at start
       initContainers:
+        {{- if .Values.vaultAgent.enabled }}
         - name: init-token
-          image: "alpine:3.14.0"
-          command: ["touch", "/vault/token/.vault-token"]
+          securityContext:
+            capabilities:
+              add:
+              - IPC_LOCK
+          image: "{{ .Values.vaultAgent.image.repository }}:{{ .Values.vaultAgent.image.tag }}"
+          args:
+            - "agent"
+            - "-config"
+            - "/vault/config/init-agent-config.hcl"
+          env:
+            - name: SKIP_CHOWN
+              value: "true"
+          {{- if or .Values.environment .Values.environmentSecrets }}
+          envFrom:
+            {{- if .Values.environment }}
+            - configMapRef:
+                name: {{ include "quorumkeymanager.fullname" . }}-envmap
+                optional: true
+            {{- end }}
+            {{- if .Values.environmentSecrets }}
+            - secretRef:
+                name: {{ include "quorumkeymanager.fullname" . }}-secretmap
+                optional: true
+            {{- end }}
+          {{- end }}
           volumeMounts:
             - name: vault-token
               mountPath: /vault/token
+            - name: vault-config
+              mountPath: /vault/config
+        {{- end }}
       containers:
         {{- if .Values.vaultAgent.enabled }}
         - name: vault-agent