Add annotation to use template path on disk

[jfroche]

We currently have two options to define vault agent templates:
either define the template configuration as an inline template in the
annotation or configure the vault agent directly. The former is really
not handy when template is getting complex, the latter forces us to
manage the whole vault agent configuration.

We add a new annotation that enables the vault agent to inject secrets
from a template file on the container disk. Since
#212, this template can be
present in volume defined on the container.

Annotation example:

vault.hashicorp.com/agent-inject-secret-foo: 'database/roles/app'
vault.hashicorp.com/agent-inject-template-file-foo: '/etc/my-app/config.toml.tmpl'
vault.hashicorp.com/agent-inject-file-foo: '/etc/my-app/config.toml',
vault.hashicorp.com/agent-copy-volume-mounts: 'MyContainerNameWithVolumes'

If a template content is also defined in annotation (using
vault.hashicorp.com/agent-inject-template, the template on disk won't be used.

refs #84

[jfroche]

Here is a working example in OpenShift with the vault agent template stored in a ConfigMap:

$ cat database-config.txt.tpl
{{ with secret "kv_cirb_cicd_openshift/data/testapp-dev/external-service" -}}
ext-username={{ .Data.data.username }}
ext-password={{ .Data.data.password }}
{{ end -}}

{{ with secret "kv_cirb_cicd_openshift/data/testapp-dev/dbcreds" -}}
username={{ .Data.data.username }}
password={{ .Data.data.password }}
{{ end -}}

$ oc create configmap database-cfg --from-file=database-config.txt.tpl

We create the Deployment with annotation referencing the previous ConfigMap:

$ cat testapp-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
  labels:
    app: testapp
  name: testapp
  namespace: testapp-dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testapp
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-copy-volume-mounts: testapp 
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-database-config.txt: "" 
        vault.hashicorp.com/agent-inject-template-file-database-config.txt: /vault/config/database.txt.tpl 
        vault.hashicorp.com/auth-path: auth/openshift-sbx
        vault.hashicorp.com/ca-cert: /vault/tls/ca.crt
        vault.hashicorp.com/role: ocp-sbx-testapp
        vault.hashicorp.com/tls-secret: vault-sta-ca-crt
      labels:
        app: testapp
    spec:
      containers:
      - image: registry.redhat.io/rhscl/httpd-24-rhel7:latest
        name: testapp
        resources:
          limits:
            memory: 1G
          requests:
            cpu: 100m
        volumeMounts:
        - mountPath: /vault/config
          name: database-cfg
      volumes:
      - configMap:
          defaultMode: 420
          name: database-cfg
        name: database-cfg
$ oc apply -f testapp-deployment.yaml
deployment.apps/testapp created

$ oc get pods
NAME                        READY   STATUS    RESTARTS   AGE
testapp-5bfc4d7954-mwvsl   2/2     Running   0          87s

We can see the ConfigMap template being interpolated and written in the destination volume:

$ oc rsh -c testapp testapp-5bfc4d7954-mwvsl cat /vault/secrets/database-config.txt
ext-username=ext-user
ext-password=pwd-ext-123

username=user123
password=pass123

[darkebe]

We really need this good feature for big config file.

[jasonodonnell]

Thoughts on making this vault.hashicorp.com/agent-inject-template-file instead?

[jfroche]

Indeed this annotation is clearer. I have updated the code.

[jasonodonnell]

His @jfroche! This looks great and is a good feature. I had one small suggestion on the name of the annotation, but overall it looks good to me. By the way, there's a new annotation that allows you to mount additional secrets vault.hashicorp.com/agent-extra-secret which could be used to mount the template sources.

[jasonodonnell]

LGTM, thanks!

[norman-zon]

By the way, there's a new annotation that allows you to mount additional secrets vault.hashicorp.com/agent-extra-secret which could be used to mount the template sources.

I don't understand the decision for creating this annotation, but not vault.hashicorp.com/agent-extra-configmap.
You say ...extra-secret could be used to mount the template source. But the template does not contain sensitive data, the sensitive data is stored in the secret I reference with vault.hashicorp.com/agent-inject-secret. So for me it seems logical to add an annotation vault.hashicorp.com/agent-extra-configmap that can mount a config map and offer the advantage of being able to handle large templates in clear text.
I understand I could achieve the same using vault.hashicorp.com/agent-copy-volume-mounts, but exposing all volumes of my container to the agent container just doesn't feel like the right way to do this. The same applies to the method shown on the "ConfigMap Example" in the docs. Having to duplicate the template for config.hcl and config-init.hcl seems very error prone to me.