如何在envconsul配置文件中传递环境变量?

时间:2019-07-24 08:23:34

标签: kubernetes minikube consul hashicorp-vault

我在envconsul documentation中读到了这个

  

为了提高安全性,也可以从环境中读取令牌   使用CONSUL_TOKEN或VAULT_TOKEN环境变量   分别。强烈建议您不要放置代币   在配置文件中以纯文本格式显示。

所以,我有这个envconsul.hcl文件:

# the settings to connect to vault server
# "http://10.0.2.2:8200" is the Vault's address on the host machine when using Minikube
vault {
  address = "${env(VAULT_ADDR)}"
  renew_token = false
  retry {
    backoff = "1s"
  }
  token = "${env(VAULT_TOKEN)}"
}
# the settings to find the endpoint of the secrets engine
secret {
    no_prefix = true
    path = "secret/app/config"
}

但是,出现此错误:

[WARN] (view) vault.read(secret/app/config): vault.read(secret/app/config): Get $%7Benv%28VAULT_ADDR%29%7D/v1/secret/app/config: unsupported protocol scheme "" (retry attempt 1 after "1s")

据我了解,它无法进行变量替换。
我尝试设置"http://10.0.2.2:8200",它可以工作。

VAULT_TOKEN变体也是如此。
如果我对VAULT_ADDR进行硬编码,则会收到此错误:

[WARN] (view) vault.read(secret/app/config): vault.read(secret/app/config): Error making API request.

URL: GET http://10.0.2.2:8200/v1/secret/app/config
Code: 403. Errors:

* permission denied (retry attempt 2 after "2s")

此文件是否有办法了解环境变量?

编辑1 这是我的pod.yml文件

---
apiVersion: v1
kind: Pod
metadata:
  name: sample
spec:
  serviceAccountName: vault-auth

  restartPolicy: Never

  # Add the ConfigMap as a volume to the Pod
  volumes:
    - name: vault-token
      emptyDir:
        medium: Memory
    # Populate the volume with config map data
    - name: config
      configMap:
        # `name` here must match the name 
        # specified in the ConfigMap's YAML
        # -> kubectl create configmap vault-cm --from-file=./vault-configs/
        name: vault-cm
        items:
          - key : vault-agent-config.hcl
            path: vault-agent-config.hcl
          - key : envconsul.hcl
            path: envconsul.hcl

  initContainers:
    # Vault container
    - name: vault-agent-auth
      image: vault

      volumeMounts:
        - name: vault-token
          mountPath: /home/vault
        - name: config
          mountPath: /etc/vault

      # This assumes Vault running on local host and K8s running in Minikube using VirtualBox
      env:
        - name: VAULT_ADDR
          value: http://10.0.2.2:8200

      # Run the Vault agent
      args:
        [
          "agent",
          "-config=/etc/vault/vault-agent-config.hcl",
          "-log-level=debug",
        ]

  containers:
    - name: python
      image: myappimg
      imagePullPolicy: Never
      ports:
        - containerPort: 5000
      volumeMounts:
        - name: vault-token
          mountPath: /home/vault
        - name: config
          mountPath: /etc/envconsul
      env:
        - name: HOME
          value: /home/vault
        - name: VAULT_ADDR
          value: http://10.0.2.2:8200

2 个答案:

答案 0 :(得分:0)

I。在容器规格中设置环境变量(双引号中的值):

env:
  - name: VAULT_TOKEN
    value: "abcd1234"
  - name: VAULT_ADDR
    value: "http://10.0.2.2:8200"

然后引用envconsul.hcl中的值

vault {
  address = ${VAULT_ADDR}
  renew_token = false
  retry {
    backoff = "1s"
  }
  token = ${VAULT_TOKEN}
}

II。另一个选择是解封Vault集群(使用在初始化Vault集群时打印的unseal密钥)

$ vault operator unseal

,然后使用根令牌对库群集进行身份验证。 

$ vault login <your-generated-root-token>

更多details

答案 1 :(得分:0)

我尝试了许多建议,但直到我将 -vault-token 参数传递给envconsul命令,它才起作用:

envconsul -vault-token=$VAULT_TOKEN -config=/app/config.hcl -secret="/secret/debug/service" env

并在config.hcl中应该是这样的:

 vault {
  address     = "http://kvstorage.try.direct:8200"
  token       = "${env(VAULT_TOKEN)}"
 }
相关问题
最新问题