Try using Vault Sidecar Injection

Referencing [here](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar#configure-kubernetes-authentication), comparing with the Secrets Operator that I used [here](https://blog.scubbo.org/posts/base-app-infrastructure/). I _think_ I prefer this because: * It doesn't create a Kubernetes secret (which is, contrary to expectation, [not entirely secure](https://kubernetes.io/docs/concepts/configuration/secret/)) * The YAML/template changes required are smaller * It looks like it _might_ be able to write a whole Vault path as a single file, rather than one-file-per-key - though it'll need some template wizardry (in a follow-on commit) to format that right.
2025-04-18 12:09:23 -07:00 · 2025-04-18 12:09:23 -07:00 · 6aba9bf11b
commit 6aba9bf11b
parent f49906b12f
1 changed files with 12 additions and 1 deletions
--- a/charts/edh-elo/values.yaml
+++ b/charts/edh-elo/values.yaml
@ -5,6 +5,10 @@ image:
 extraEnv:
  - name: DATABASE_URL
    value: postgresql://db_user:pass@edh-elo-postgresql/postgres
+  - name: SPREADSHEET_ID
+    value: 1ITgXXfq7KaNP8JTQMvoZJSbu7zPpCcfNio_aooULRfc
+  - name: PATH_TO_GOOGLE_SHEETS_CREDENTIALS
+    value: /vault/secrets/google-credentials.json
 postgresql:
  auth:
    existing-secret: edh-elo-postgresql
@ -33,7 +37,14 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
-podAnnotations: {}
+podAnnotations:
+  vault.hashicorp.com/agent-inject: "true"
+  vault.hashicorp.com/role: "edh-elo"
+  vault.hashicorp.com/agent-inject-secret-google-credentials.json: "edh-elo/data/google-credentials"
+  # vault.hashicorp.com/agent-inject-template-google-credentials.json: |
+  #   {{- with secret "edh-elo/data/google-credentials" -}}
+  #   {{- .Data | b64enc -}}
+  #   {{- end -}}
 podSecurityContext: {}
 # fsGroup: 2000