Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for an agent-image built FROM scratch #556

Open
aiman-alsari opened this issue Nov 22, 2023 · 0 comments
Open

Support for an agent-image built FROM scratch #556

aiman-alsari opened this issue Nov 22, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@aiman-alsari
Copy link

In heavily regulated environments, adding unnecessary dependencies makes things more difficult to maintain and increases the attack surface of a container.
Therefore it makes sense to have a vault agent image that is purpose-built and has no other tools other than the vault binary (ideally with just the agent component rather than an uber-binary, but that's a different story).

The injector allows us to provide our own image using the agent-image annotation. Whilst this is super handy, the container is defined as such in agent-inject/agent/container_sidecar.go:

        newContainer := corev1.Container{
                Name:         "vault-agent",
                Image:        a.ImageName,
                Env:          envs,
                Resources:    resources,
                VolumeMounts: volumeMounts,
                Lifecycle:    &lifecycle,
                Command:      []string{"/bin/sh", "-ec"},
                Args:         []string{arg},
        }

        DefaultContainerArg       = "echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json"

Which relies on a shell, echo, and base64 binaries.

I did investigate using the vault.hashicorp.com/agent-configmap annotation, but this has a similar problem in that it runs /bin/sh as the command and also relies on the touch command to be present:

        if a.ConfigMapName != "" {
                volumeMounts = append(volumeMounts, corev1.VolumeMount{
                        Name:      configVolumeName,
                        MountPath: configVolumePath,
                        ReadOnly:  true,
                })
                arg = fmt.Sprintf("touch %s && vault agent -config=%s/config.hcl", TokenFile, configVolumePath)
        }

(as a side-note, it's not clear what the TokenFile is for and why it requires touch)

Getting the config into the agent surely could be done either by a configmap volume (either generated or user-provided) or alternatively by modifying the way Vault agent loads its config to support b64 encoded env vars. Then we could run the container without any external dependencies.
@aiman-alsari aiman-alsari added the enhancement New feature or request label Nov 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aiman-alsari