Allstar has detected that this repository’s SECURITY.md security policy is out of compliance. Status:
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/Talend/vault-sidecar-injector/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Description
I have a custom annotation on the pod template of a deployment that utilizes the Talend Vault sidecar injector. When using the sidecar annotations to inject static secrets as environment variables, the pod loses the custom annotation.

Reproduction
Create a basic deployment with Vault sidecar injection enabled from static secrets using the environment variable (env) injection method and a custom, unrelated annotation on the pod template metadata. The unrelated annotation will not exist on the pod. Switch the sidecar.vault.talend.org/inject annotation to false and redeploy and the resultant pod will have the unrelated annotation.

Expected Behavior
I would expect unrelated annotations to be preserved on the pod.

Environment:

• Kubernetes
  • cluster: EKS
  • v1.20
• Vault Sidecar Injector
  • version: 7.2.1
  • chart version: 4.3.1

Logs of Vault Sidecar Injector pod(s)

I'm assuming this is due to the MutatingWebhook, as it seems the patch operation might be replacing all annotations from this line I found in the logs of the Vault sidecar injector:

{"op":"add","path":"/metadata/annotations","value":{"sidecar.vault.talend.org/status":"injected"}}

This type of patch operation removes all annotations and adds in just the one specified. I'd recommend changing it to one that just adds the single annotation you're interested in:

{"op":"add","path":"/metadata/annotations/sidecar.vault.talend.org~1status","value":"injected"}

Describe the issue
A clear and concise description of what the issue is.

Found an issue with the Kubernetes service account role creation in the file
vault-sidecar-injector/deploy/vault/init-dev-vault-server.sh
Lines 33,34,35 bound_service_account_names=default,job-sa
should also include the “vault” service account created by the Vault Helm chart.

Before I modified the locally I could not login using Vault Kubernetes Auth using the test role.
After I modified this locally I could successfully login using Vault Kubernetes Auth but the sidecar injector failed to login.

vault read auth/kubernetes/role/test
Key Value

bound_service_account_names [vault default job-sa]
bound_service_account_namespaces [default]
policies [test_pol]
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [test_pol]
token_ttl 1h
token_type default
ttl 1h

To Reproduce
Steps to reproduce the behavior.

Use the Helm installation instructions here:

https://github.com/Talend/vault-sidecar-injector/blob/master/doc/Deploy.md

git clone https://github.com/hashicorp/vault-helm.git
cd vault-helm
git checkout v0.9.1
helm install vault . --set injector.enabled=false --set server.dev.enabled=true --set ui.enabled=true --set ui.serviceType="NodePort"

Check status

kubectl exec -it vault-0 -- vault status
kubectl logs vault-0

Then init Vault server with our test config:

Set up needed auth methods, secrets engines, policies, roles and secrets

cd vault-sidecar-injector/deploy/vault
./init-dev-vault-server.sh

helm repo add talend https://talend.github.io/helm-charts-public/stable
helm repo update
export CHART_LOCATION=talend/vault-sidecar-injector

helm install vault-sidecar-injector $CHART_LOCATION --namespace default --set vault.addr=http://127.0.0.1:8200 --set vault.ssl.verify=false

kubectl apply -f app-dep-1-secrets.yaml

Expected behavior
A clear and concise description of what you expected to happen.

Expected the secrets to be injected into the app-container but no secrets were injected, as the logs show:
My secrets are:
cat: can't open '/opt/talend/secrets/secrets.properties': No such file or directory

The sidecar injector logs show Vault Kubernetes Auth errors :
{"@Level":"info","@message":"authenticating","@module":"auth.handler","@timestamp":"2021-04-12T03:03:20.730121Z"}
{"@Level":"error","@message":"error authenticating","@module":"auth.handler","@timestamp":"2021-04-12T03:03:20.731143Z","backoff":2.257653078,"error":"Put "http://127.0.0.1:8200/v1/auth/kubernetes/login\": dial tcp 127.0.0.1:8200: connect: connection refused"}

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

• Workstation OS: [e.g. Ubuntu 18.04]
  OSX

• Kubernetes

  • cluster: [e.g. AKS, EKS, Minikube, Kind, k3s]
    DockerDesktop

  • version of Kubernetes.
    v1.19.7 server
    v1.20.2 client

• Vault Server

  • version
    Vault v1.6.2
    Chart vault-0.9.1

• Vault Sidecar Injector

  • chart version: [e.g. 3.1.1]
    helm search hub vault-sidecar-injector
    URL CHART VERSION APP VERSION DESCRIPTION
    https://hub.helm.sh/charts/talend/vault-sidecar... 4.2.1 7.1.1 A Helm chart for Talend Vault Sidecar Injector ...

Additional context
Add any other context about the problem here.

Content of deployed Kubernetes manifest
If possible, full content of your manifest with Vault Sidecar Injector annotations and info about your workload such as image path, command, env, volumes & mounts ...

The only modification to the original code was to add the vault service account to the initialization script.
Used files from the samples directory without modification.

Logs of Vault Sidecar Injector pod(s)

kubectl logs vault-sidecar-injector-vault-sidecar-inj-65d48c5596-cbqkd
I0412 03:00:54.749279 1 load.go:27] annotationKeyPrefix=sidecar.vault.talend.org
I0412 03:00:54.749476 1 load.go:28] appLabelKey=com.talend.application
I0412 03:00:54.749499 1 load.go:29] appServiceLabelKey=com.talend.service
I0412 03:00:54.749648 1 load.go:103] Loading /opt/talend/webhook/config/injectionconfig.yaml [sha256sum: 967dd69b69017a67bb9ec9e683bb43123618e8e433d5ad05301928b2753138cb]
I0412 03:00:54.751560 1 load.go:103] Loading /opt/talend/webhook/config/proxyconfig.hcl [sha256sum: 65974d444e279560d92773f38188e8bdd09fb3abd19942ed063c2310bd050eb8]
I0412 03:00:54.751638 1 load.go:103] Loading /opt/talend/webhook/config/templateblock.hcl [sha256sum: 9cf401da67775277e99211608f7b26213fb868d1110986043fd20f740894a25d]
I0412 03:00:54.751668 1 load.go:103] Loading /opt/talend/webhook/config/templatedefault.tmpl [sha256sum: be27ce062f7654e64062ffec769f031884676d6d98f1e7c701f601fa42f6d1e1]
I0412 03:00:54.751702 1 load.go:103] Loading /opt/talend/webhook/config/podlifecyclehooks.yaml [sha256sum: a9977154d1ecb2110b63585ee75263aa091e9b3480072f830f58f1ce6ade6a4f]
I0412 03:03:01.780458 1 webhook-server.go:120] AdmissionReview for GroupVersionKind=/v1, Kind=Pod, Namespace=default Name= (app-55b99b4f6f-) UID=632e9899-c4e4-4751-80bd-b439d4e62913 patchOperation=CREATE UserInfo={Username:system:serviceaccount:kube-system:replicaset-controller UID:dfc8504a-1e5e-430d-860b-cff6b52a301b Groups:[system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] Extra:map[]}
I0412 03:03:01.780520 1 utils.go:87] Mutation policy for default/app-55b99b4f6f-: status: "" required:true
I0412 03:03:01.780556 1 update-pod.go:85] Modes status: map[job:false proxy:false secrets:true]
I0412 03:03:01.780586 1 update-pod.go:319] Injecting volumeMount 'secrets' in container 'app-container'
I0412 03:03:01.780606 1 update-pod.go:364] Injecting volume 'secrets' in submitted pod
I0412 03:03:01.780628 1 secrets-func-inject.go:37] [secrets] Injecting container tvsi-vault-agent (path: /spec/containers)
I0412 03:03:01.780890 1 webhook-server.go:142] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/volumeMounts/-","value":{"name":"secrets","mountPath":"/opt/talend/secrets"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"tvsi-shared","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/volumes/-","value":{"name":"secrets","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/containers/0","value":{"name":"tvsi-vault-agent","image":"vault:1.6.2","command":["sh","-c","if [ "${VSI_VAULT_AUTH_METHOD}" = "kubernetes" ]; then\n cat \u003c\u003cEOF \u003e vault-agent-config.hcl\npid_file = "/home/vault/pidfile"\n\nauto_auth {\n method "kubernetes" {\n mount_path = "auth/kubernetes"\n config = {\n role = "${VSI_VAULT_ROLE}"\n token_path = "/var/run/secrets/talend/vault-sidecar-injector/serviceaccount/token"\n }\n }\n\n sink "file" {\n config = {\n path = "/home/vault/.vault-token"\n }\n }\n}\n\n${VSI_PROXY_CONFIG_PLACEHOLDER}\n\n${VSI_SECRETS_TEMPLATES_PLACEHOLDER}\nEOF\nelif [ "${VSI_VAULT_AUTH_METHOD}" = "approle" ]; then\n cat \u003c\u003cEOF \u003e vault-agent-config.hcl\npid_file = "/home/vault/pidfile"\n\nauto_auth {\n method "approle" {\n mount_path = "auth/approle"\n config = {\n role_id_file_path = "/opt/talend/secrets/approle_roleid"\n secret_id_file_path = "/opt/talend/secrets/approle_secretid"\n remove_secret_id_file_after_reading = false\n }\n }\n\n sink "file" {\n config = {\n path = "/home/vault/.vault-token"\n }\n }\n}\n\n${VSI_PROXY_CONFIG_PLACEHOLDER}\n\n${VSI_SECRETS_TEMPLATES_PLACEHOLDER}\nEOF\nfi\nif [ "${VSI_JOB_WORKLOAD}" = "true" ]; then\n docker-entrypoint.sh agent -config=vault-agent-config.hcl -tls-skip-verify -log-level=info \u0026\n while true; do\n if [ -f "/opt/talend/tvsi/vault-sidecars-signal-terminate" ]; then\n echo "=\u003e exit (signal received)"\n export VAULT_TOKEN=$(cat /home/vault/.vault-token);\n vault token revoke -tls-skip-verify -self;\n exit 0\n fi\n sleep 2\n done\nelse\n docker-entrypoint.sh agent -config=vault-agent-config.hcl -tls-skip-verify -log-level=info\nfi\n"],"env":[{"name":"SKIP_SETCAP","value":"true"},{"name":"VAULT_ADDR","value":"http://127.0.0.1:8200"},{"name":"VAULT_LOG_FORMAT","value":"json"},{"name":"VSI_JOB_WORKLOAD","value":"false"},{"name":"VSI_PROXY_CONFIG_PLACEHOLDER"},{"name":"VSI_SECRETS_TEMPLATES_PLACEHOLDER","value":"template {\n destination = "/opt/talend/secrets/secrets.properties"\n contents = \u003c\u003cEOH\n {{ with secret "secret/test/test-app-svc" }}{{ range $k, $v := .Data }}\n{{ $k }}={{ $v }}\n{{ end }}{{ end }}\n EOH\n command = ""\n wait {\n min = "1s"\n max = "2s"\n }\n}\n"},{"name":"VSI_VAULT_AUTH_METHOD","value":"kubernetes"},{"name":"VSI_VAULT_ROLE","value":"test"}],"resources":{"limits":{"cpu":"50m","memory":"50Mi"},"requests":{"cpu":"40m","memory":"35Mi"}},"volumeMounts":[{"name":"tvsi-shared","mountPath":"/opt/talend/tvsi"},{"name":"secrets","mountPath":"/opt/talend/secrets"},{"name":"vault-token-47l9p","readOnly":true,"mountPath":"/var/run/secrets/talend/vault-sidecar-injector/serviceaccount"}],"lifecycle":{"preStop":{"exec":{"command":["sh","-c","export VAULT_TOKEN=$(cat /home/vault/.vault-token); vault token revoke -tls-skip-verify -self;\n"]}}},"imagePullPolicy":"Always"}},{"op":"add","path":"/metadata/annotations","value":{"sidecar.vault.talend.org/status":"injected"}}]
I0412 03:03:01.781338 1 webhook-server.go:201] Ready to write reponse ...

kubectl logs vault-sidecar-injector-vault-sidecar-inj-65d48c5596-fchlr
I0412 03:00:41.254234 1 load.go:27] annotationKeyPrefix=sidecar.vault.talend.org
I0412 03:00:41.254328 1 load.go:28] appLabelKey=com.talend.application
I0412 03:00:41.254348 1 load.go:29] appServiceLabelKey=com.talend.service
I0412 03:00:41.254427 1 load.go:103] Loading /opt/talend/webhook/config/injectionconfig.yaml [sha256sum: 967dd69b69017a67bb9ec9e683bb43123618e8e433d5ad05301928b2753138cb]
I0412 03:00:41.256191 1 load.go:103] Loading /opt/talend/webhook/config/proxyconfig.hcl [sha256sum: 65974d444e279560d92773f38188e8bdd09fb3abd19942ed063c2310bd050eb8]
I0412 03:00:41.256253 1 load.go:103] Loading /opt/talend/webhook/config/templateblock.hcl [sha256sum: 9cf401da67775277e99211608f7b26213fb868d1110986043fd20f740894a25d]
I0412 03:00:41.256286 1 load.go:103] Loading /opt/talend/webhook/config/templatedefault.tmpl [sha256sum: be27ce062f7654e64062ffec769f031884676d6d98f1e7c701f601fa42f6d1e1]
I0412 03:00:41.256416 1 load.go:103] Loading /opt/talend/webhook/config/podlifecyclehooks.yaml [sha256sum: a9977154d1ecb2110b63585ee75263aa091e9b3480072f830f58f1ce6ade6a4f]

kubectl logs vault-sidecar-injector-vault-sidecar-inj-65d48c5596-vhddv
I0412 03:00:54.922982 1 load.go:27] annotationKeyPrefix=sidecar.vault.talend.org
I0412 03:00:54.923171 1 load.go:28] appLabelKey=com.talend.application
I0412 03:00:54.923208 1 load.go:29] appServiceLabelKey=com.talend.service
I0412 03:00:54.923338 1 load.go:103] Loading /opt/talend/webhook/config/injectionconfig.yaml [sha256sum: 967dd69b69017a67bb9ec9e683bb43123618e8e433d5ad05301928b2753138cb]
I0412 03:00:54.930367 1 load.go:103] Loading /opt/talend/webhook/config/proxyconfig.hcl [sha256sum: 65974d444e279560d92773f38188e8bdd09fb3abd19942ed063c2310bd050eb8]
I0412 03:00:54.930425 1 load.go:103] Loading /opt/talend/webhook/config/templateblock.hcl [sha256sum: 9cf401da67775277e99211608f7b26213fb868d1110986043fd20f740894a25d]
I0412 03:00:54.930457 1 load.go:103] Loading /opt/talend/webhook/config/templatedefault.tmpl [sha256sum: be27ce062f7654e64062ffec769f031884676d6d98f1e7c701f601fa42f6d1e1]
I0412 03:00:54.930944 1 load.go:103] Loading /opt/talend/webhook/config/podlifecyclehooks.yaml [sha256sum: a9977154d1ecb2110b63585ee75263aa091e9b3480072f830f58f1ce6ade6a4f]

Errors reported by Vault Sidecar Injector while trying to inject Vault Agent into your workload

kubectl logs app-55b99b4f6f-pqff9 tvsi-vault-agent
==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

                 Cgo: disabled
           Log Level: info
             Version: Vault v1.6.2
         Version Sha: be65a227ef2e80f8588b3b13584b5c0d9238c1d7

{"@Level":"info","@message":"creating file sink","@module":"sink.file","@timestamp":"2021-04-12T03:03:12.651295Z"}
{"@Level":"info","@message":"file sink configured","@module":"sink.file","@timestamp":"2021-04-12T03:03:12.653247Z","mode":416,"path":"/home/vault/.vault-token"}
{"@Level":"info","@message":"starting template server","@module":"template.server","@timestamp":"2021-04-12T03:03:12.747227Z"}
{"@Level":"info","@message":"starting auth handler","@module":"auth.handler","@timestamp":"2021-04-12T03:03:12.748360Z"}
2021/04/12 03:03:12.748864 [INFO] (runner) creating new runner (dry: false, once: false)
{"@Level":"info","@message":"authenticating","@module":"auth.handler","@timestamp":"2021-04-12T03:03:12.748954Z"}
{"@Level":"info","@message":"starting sink server","@module":"sink.server","@timestamp":"2021-04-12T03:03:12.748510Z"}
2021/04/12 03:03:12.752283 [INFO] (runner) creating watcher
{"@Level":"error","@message":"error authenticating","@module":"auth.handler","@timestamp":"2021-04-12T03:03:12.847056Z","backoff":2.872433287,"error":"Put "http://127.0.0.1:8200/v1/auth/kubernetes/login\": dial tcp 127.0.0.1:8200: connect: connection refused"}

Logs of your workload
My secrets are:
cat: can't open '/opt/talend/secrets/secrets.properties': No such file or directory
cat: can't open '/opt/talend/secrets/secrets.properties': No such file or directory

In particular, logs from the Vault Agent sidecar container injected into your pod

Describe the issue
inside the deploy/helm folder, i tried helm template test ./ --debug and then got this error

Error: template: vault-sidecar-injector/charts/vault-sidecar-injector/templates/deployment.yaml:22:28: executing "vault-sidecar-injector/charts/vault-sidecar-injector/templates/deployment.yaml" at <include (print $.Template.BasePath "/configmap.yaml") .>: error calling include: template: vault-sidecar-injector/charts/vault-sidecar-injector/templates/configmap.yaml:9:4: executing "vault-sidecar-injector/charts/vault-sidecar-injector/templates/configmap.yaml" at <tpl (.Files.Get "config/injectionconfig.yaml") .>: error calling tpl: error during tpl function execution for "initContainers:

  - name: tvsi-vault-agent-init
    image: {{ include \"talend-vault-sidecar-injector.injectconfig.vault.image\" .Values }}
    imagePullPolicy: {{ .Values.injectconfig.vault.image.pullPolicy }}

env:
      - name: SKIP_SETCAP
        value: \"true\"
      - name: VAULT_ADDR
        value: {{ required \"Vault server's address must be specified\" .Values.vault.addr | quote }}
      - name: VAULT_LOG_FORMAT
        value: {{ .Values.injectconfig.vault.log.format }}
      # env var set by webhook
      - name: VSI_SECRETS_TEMPLATES_PLACEHOLDER
        value: \"\"
      # env var set by webhook
      - name: VSI_VAULT_ROLE
        value: \"\"
    command:
      - \"sh\"
      - \"-c\"
      - |
        cat <<EOF > vault-agent-config.hcl
        pid_file = \"/home/vault/pidfile\"
        auto_auth {
            method \"kubernetes\" {
              mount_path = \"auth/{{ .Values.vault.authMethods.kubernetes.path }}\"
            config = {
                role = \"${VSI_VAULT_ROLE}\"
              token_path = \"/var/run/secrets/talend/vault-sidecar-injector/serviceaccount/token\"
            }
          }
          sink \"file\" {
              config = {
                path = \"/home/vault/.vault-token\"
            }
          }
        }
        ${VSI_SECRETS_TEMPLATES_PLACEHOLDER}
        EOF

        docker-entrypoint.sh agent -config=vault-agent-config.hcl -exit-after-auth=true {{ include \"talend-vault-sidecar-injector.vault.cert.skip.verify\" .Values }} -log-level={{- .Values.injectconfig.vault.log.level }}
        export VAULT_TOKEN=$(cat /home/vault/.vault-token)
        vault token revoke {{ include \"talend-vault-sidecar-injector.vault.cert.skip.verify\" .Values }} -self
    volumeMounts:
      # Mount path used to share secrets.
      - name: secrets
        mountPath: /opt/talend/secrets
      # The name's value will be overridden by the webhook to point to container's service account volume to use for Vault authentication.
      - name: TVSI_SA_SECR
      - 

To Reproduce

inside the deploy/helm folder, i tried helm template test ./ --debug and then got this error

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

• Workstation OS: [e.g. Ubuntu 18.04]
• Kubernetes
  • cluster: [e.g. AKS, EKS, Minikube, Kind, k3s]
  • version of Kubernetes
• Vault Server
  • version
  • chart version (if Kubernetes install)
  • in-cluster or external instance
• Vault Sidecar Injector
  • chart version: [e.g. 3.1.1]

Additional context

Add any other context about the problem here.

Content of deployed Kubernetes manifest

If possible, full content of your manifest with Vault Sidecar Injector annotations and info about your workload such as image path, command, env, volumes & mounts ...

Log of Vault Server

Warnings and errors related to the issue

Logs of Vault Sidecar Injector pod(s)

Errors reported by Vault Sidecar Injector while trying to inject Vault Agent into your workload

Logs of your workload

In particular, logs from the Vault Agent sidecar container injected into your pod

Vault Sidecar Injector currently injects 2 sidecars:

• Vault Agent to authenticate against Vault server, get and renew Vault token
• Consul Template to fetch secrets from Vault server using issued token

Vault 1.3 will come with a new "Vault Agent Template" feature that will combine what is achieved by those sidecars. By moving to this new Vault release we will reduce the footprint (only one sidecar injected), end up with a simpler configuration/chart and may expect faster startup time (to be tested).

Link to Vault Agent Template pull request: hashicorp/vault#7652

Some k8s distributions - like Rancher's RKE or kubeadm - do not configure a signer. See docs here for info on using the default implementation: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#a-note-to-cluster-administrators

The requirement for this config (or a signer of some kind) should be documented in the installation steps for this application.

Describe the issue
Injection does not work for grafana/grafana:7.3.1, or grafana/grafana:7.3.1-ubuntu images

To Reproduce
Attempt to inject as env.

Expected behavior
As with ubuntu base images, I would expect it to inject as secrets.

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

• OS: alpine:3.12
• Kubernetes
  • cluster: GKE
  • 1.16
• Vault Server
  • version
• Vault Sidecar Injector
  • chart version: 4.1.0

Additional context
It appears to show a nonsensical error message, which is unexpected.

Hi,

Could you please verify if it is possible to use secrets as env variables in helm chart for app ?

Example:

env:    
- name: AWS_SECRET_ACCESS_KEY
    value: "vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY

Hello.
Could you please verify that with using environment variables we haven't the secret file in the pods ? So, we can't access to the secret thought /opt/talend/secrets/secret.properties ?

Using RKE, kubernetes is configured with self-signed certs that are trusted within the cluster. I need a way to tell the injected sidecar to NOT verify the certificate.

URL: PUT http://vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/login
Code: 500. Errors:
* Post https://kubernetes.default.svc/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority" backoff=2.035247216
2020-01-03T17:57:26.621Z [INFO] auth.handler: authenticating
2020-01-03T17:57:26.641Z [ERROR] auth.handler: error authenticating: error="Error making API request.

Scenario: I configure secrets-destination and secrets-template with multiple comma delimited values. Because secrets.go splits the annotation strings with "," as the delimiter, a template that includes

{{ range \$k, \$v := .Data }}

will split on the internal comma resulting in error

Submitted pod must contain same numbers of templates and secrets destinations