How can I replace left and right delimiters

[ramanNarasimhan77]

Hello,

I have recently installed vault-helm chart in ha mode with consul backend.

I am attempting to use vault to securely inject secrets in argo workflow. My workflow has the following annotations where
"{{workflow.parameters.vault-gitcreds-secret}}" & "{{workflow.parameters.vault-auth-role}}" are go templates that argo replaces on runtime based on the workflow parameters vault-gitcreds-secret and vault-auth-role

The "{{workflow.parameters.vault-gitcreds-secret}}" under inject-template however is not getting rendered by argo since it is enclosed by another template.

Is it possible to override default delimiters and specify different delimiters for vault template so that I can use something like ${ and }$ so that argo workflow replace logic can work?

metadata:      
    annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-.git-credentials: "{{workflow.parameters.vault-gitcreds-secret}}"
        vault.hashicorp.com/secret-volume-path: "/home/app-user"
        vault.hashicorp.com/role: "{{workflow.parameters.vault-auth-role}}"
        vault.hashicorp.com/agent-inject-template-.git-credentials: |
          {{- with secret "{{workflow.parameters.vault-gitcreds-secret}}" -}}
            {{ .Data.data.gitcreds }}
          {{- end }}

P.S. - I have also created this issue in argo github hoping that probably there is some workaround for this that I have overlooked

[jasonodonnell]

Hi @ramanNarasimhan77,

Vault K8s doesn't allow you to configure delimiters using annotations yet. We'll be adding this feature in the future.

A work around for now is to mount a custom config.hcl file using a configMap. This will allow you to define the delimiters.

Here's an example of mounting a custom configmap: https://www.vaultproject.io/docs/platform/k8s/injector/examples#configmap-example

You can define the delimiters in the template block:

    "template" = {
      "contents" = "{{- with secret \"database/creds/db-app\" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
      "destination" = "/vault/secrets/db-creds"
      "left_delimiter" = "{{"
      "right_delimiter" = "}}"
    }

Hope that helps!

[josegonzalez]

Is there any chance we can re-open this? The functionality wasn't actually added, so I think something to track it would be great.

[artem-zherdiev-ingio]

+1

[Diliz]

Still no way to handle custom delimiters via agent injector without using configmaps?

[Diliz]

Hi @ramanNarasimhan77,

Vault K8s doesn't allow you to configure delimiters using annotations yet. We'll be adding this feature in the future.

A work around for now is to mount a custom config.hcl file using a configMap. This will allow you to define the delimiters.

Here's an example of mounting a custom configmap: https://www.vaultproject.io/docs/platform/k8s/injector/examples#configmap-example

You can define the delimiters in the template block:

    "template" = {
      "contents" = "{{- with secret \"database/creds/db-app\" -}}postgres://{{ .Data.username }}:{{ .Data.password }}@postgres:5432/mydb?sslmode=disable{{- end }}"
      "destination" = "/vault/secrets/db-creds"
      "left_delimiter" = "{{"
      "right_delimiter" = "}}"
    }

Hope that helps!

I actually use the latest version of the injector, and with the exact same config, with 2 templates in it, one with custom delimiters, and the other without custom delimiters, it's not working with the custom ones, but it's working with default ones...

Did you really managed to use custom delimiters with a custom config with custom delimiters like "[[" "]]" @jasonodonnell ?

EDIT: I managed to make it work with [[ and ]] in fact, but wasn't able with ${ and } as delimiters for unknown reasons