I have a Helm Chart for a Spring Boot application that gets its database credentials injected by the Hashicorp Vault agent injector.
This is a snippet from the generated deployment manifest in the dev environment.
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "app"
vault.hashicorp.com/agent-inject-secret-database.properties: "secret/data/app/dev/database"
vault.hashicorp.com/agent-inject-template-database.properties: |
{{ with secret "secret/data/app/dev/database" }}
spring.datasource.username: {{ .Data.data.username }}
spring.datasource.password: {{ .Data.data.password }}
{{ end }}
To be able to specify the path to the secret and the name of the generated secrets file in the values.yaml, I've constructed this template:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "{{ .Values.vault.role }}"
{{ print "vault.hashicorp.com/agent-inject-secret-" .Values.vault.secretFileName }}: "{{ .Values.vault.secretPath }}"
{{ print "vault.hashicorp.com/agent-inject-template-" .Values.vault.secretFileName }}: |
{{`
{{ with secret "`}} {{- .Values.vault.secretPath -}} {{`" }}
spring.datasource.username: {{ .Data.data.username }}
spring.datasource.password: {{ .Data.data.password }}
{{ end }}
`}}
It works as intended, but I don't think it's very elegant.
I've also tried this approach:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "{{ .Values.vault.role }}"
{{ print "vault.hashicorp.com/agent-inject-secret-" .Values.vault.secretFileName }}: "{{ .Values.vault.secretPath }}"
{{ print "vault.hashicorp.com/agent-inject-template-" .Values.vault.secretFileName }}: |
{{ print "{{ with secret " .Values.vault.secretPath " }}" }}
{{ print "spring.datasource.username: {{ .Data.data.username }}" }}
{{ print "spring.datasource.password: {{ .Data.data.password }}" }}
{{ print "{{ end }}" }}
Which I feel is slightly better, but I'm still not happy with it.
So my question is: Is there a better way to do it?
I am using this way in my helm Chart