Add namespace and log level annotations

agent-inject/agent/agent.go

@@ -132,6 +132,12 @@ type Vault struct {
 	// make a request to the Vault server.
 	ClientTimeout string
 
+	// LogLevel sets the Vault Agent log level.  Defaults to info.
+	LogLevel string
+
+	// Namespace is the Vault namespace to prepend to secret paths.
+	Namespace string
+
 	// Role is the name of the Vault role to use for authentication.
 	Role string
 
@@ -175,6 +181,8 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro
 			ClientKey:        pod.Annotations[AnnotationVaultClientKey],
 			ClientMaxRetries: pod.Annotations[AnnotationVaultClientMaxRetries],
 			ClientTimeout:    pod.Annotations[AnnotationVaultClientTimeout],
+			LogLevel:         pod.Annotations[AnnotationVaultLogLevel],
+			Namespace:        pod.Annotations[AnnotationVaultNamespace],
 			Role:             pod.Annotations[AnnotationVaultRole],
 			TLSSecret:        pod.Annotations[AnnotationVaultTLSSecret],
 			TLSServerName:    pod.Annotations[AnnotationVaultTLSServerName],

agent-inject/agent/agent_test.go

@@ -75,8 +75,8 @@ func TestValidate(t *testing.T) {
 				ServiceAccountName: "foobar",
 				ImageName:          "test",
 				Vault: Vault{
-					Role:    "test",
-					Address: "https://foobar.com:8200",
+					Role:     "test",
+					Address:  "https://foobar.com:8200",
 					AuthPath: "test",
 				},
 			}, true,
@@ -148,8 +148,8 @@ func TestValidate(t *testing.T) {
 				ServiceAccountName: "foobar",
 				ImageName:          "test",
 				Vault: Vault{
-					Role:    "test",
-					Address: "https://foobar.com:8200",
+					Role:     "test",
+					Address:  "https://foobar.com:8200",
 					AuthPath: "",
 				},
 			}, false,

agent-inject/agent/annotations.go

@@ -79,6 +79,9 @@ const (
 	// AnnotationAgentRequestsMem sets the requested memory amount on the Vault Agent containers.
 	AnnotationAgentRequestsMem = "vault.hashicorp.com/agent-requests-mem"
 
+	// AnnotationVaultNamespace is the Vault namespace where secrets can be found.
+	AnnotationVaultNamespace = "vault.hashicorp.com/namespace"
+
 	// AnnotationVaultService is the name of the Vault server.  This can be overridden by the
 	// user but will be set by a flag on the deployment.
 	AnnotationVaultService = "vault.hashicorp.com/service"
@@ -116,6 +119,9 @@ const (
 	// AnnotationVaultClientTimeout sets the request timeout when communicating with Vault.
 	AnnotationVaultClientTimeout = "vault.hashicorp.com/client-timeout"
 
+	// AnnotationVaultLogLevel sets the Vault Agent log level.
+	AnnotationVaultLogLevel = "vault.hashicorp.com/log-level"
+
 	// AnnotationVaultRole specifies the role to be used for the Kubernetes auto-auth
 	// method.
 	AnnotationVaultRole = "vault.hashicorp.com/role"
@@ -184,6 +190,10 @@ func Init(pod *corev1.Pod, image, address, authPath, namespace string) error {
 		pod.ObjectMeta.Annotations[AnnotationAgentRequestsMem] = DefaultResourceRequestMem
 	}
 
+	if _, ok := pod.ObjectMeta.Annotations[AnnotationVaultLogLevel]; !ok {
+		pod.ObjectMeta.Annotations[AnnotationVaultLogLevel] = DefaultAgentLogLevel
+	}
+
 	return nil
 }
 

agent-inject/agent/annotations_test.go

@@ -399,3 +399,33 @@ func TestInitEmptyPod(t *testing.T) {
 		t.Errorf("got no error, shouldn have")
 	}
 }
+
+func TestVaultNamespaceAnnotation(t *testing.T) {
+	tests := []struct {
+		key           string
+		value         string
+		expectedValue string
+	}{
+		{"", "", ""},
+		{"vault.hashicorp.com/namespace", "", ""},
+		{"vault.hashicorp.com/namespace", "foobar", "foobar"},
+		{"vault.hashicorp.com/namespace", "fooBar", "fooBar"},
+	}
+
+	for _, tt := range tests {
+		annotation := map[string]string{
+			tt.key: tt.value,
+		}
+		pod := testPod(annotation)
+		var patches []*jsonpatch.JsonPatchOperation
+
+		agent, err := New(pod, patches)
+		if err != nil {
+			t.Errorf("got error, shouldn't have: %s", err)
+		}
+
+		if agent.Vault.Namespace != tt.expectedValue {
+			t.Errorf("expected %s, got %s", tt.expectedValue, agent.Vault.Namespace)
+		}
+	}
+}

agent-inject/agent/config.go

@@ -109,6 +109,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 		AutoAuth: &AutoAuth{
 			Method: &Method{
 				Type:      "kubernetes",
+				Namespace: a.Vault.Namespace,
 				MountPath: a.Vault.AuthPath,
 				Config: map[string]interface{}{
 					"role": a.Vault.Role,

agent-inject/agent/container_env.go

@@ -24,6 +24,13 @@ func (a *Agent) ContainerEnvVars(init bool) ([]corev1.EnvVar, error) {
 		})
 	}
 
+	if a.Vault.LogLevel != "" {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "VAULT_LOG_LEVEL",
+			Value: a.Vault.LogLevel,
+		})
+	}
+
 	if a.ConfigMapName == "" {
 		config, err := a.newConfig(init)
 		if err != nil {

agent-inject/agent/container_env_test.go

@@ -17,7 +17,7 @@ func TestContainerEnvs(t *testing.T) {
 		{Agent{Vault: Vault{ClientMaxRetries: "0"}}, []string{"VAULT_CONFIG", "VAULT_MAX_RETRIES"}},
 		{Agent{Vault: Vault{ClientTimeout: "5s"}}, []string{"VAULT_CONFIG", "VAULT_CLIENT_TIMEOUT"}},
 		{Agent{Vault: Vault{ClientMaxRetries: "0", ClientTimeout: "5s"}}, []string{"VAULT_CONFIG", "VAULT_MAX_RETRIES", "VAULT_CLIENT_TIMEOUT"}},
-		{Agent{ConfigMapName: "foobar", Vault: Vault{ClientMaxRetries: "0", ClientTimeout: "5s"}}, []string{"VAULT_MAX_RETRIES", "VAULT_CLIENT_TIMEOUT"}},
+		{Agent{ConfigMapName: "foobar", Vault: Vault{ClientMaxRetries: "0", ClientTimeout: "5s", LogLevel: "info"}}, []string{"VAULT_MAX_RETRIES", "VAULT_CLIENT_TIMEOUT", "VAULT_LOG_LEVEL"}},
 	}
 
 	for _, tt := range tests {

agent-inject/agent/container_init_sidecar.go

@@ -25,15 +25,15 @@ func (a *Agent) ContainerInitSidecar() (corev1.Container, error) {
 		},
 	}
 
-	arg := "echo ${VAULT_CONFIG?} | base64 -d > /tmp/config.json && vault agent -config=/tmp/config.json"
+	arg := DefaultContainerArg
 
 	if a.ConfigMapName != "" {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      configVolumeName,
 			MountPath: configVolumePath,
 			ReadOnly:  true,
 		})
-		arg = fmt.Sprintf("vault agent -config=%s/config-init.hcl", configVolumePath)
+		arg = fmt.Sprintf("touch %s && vault agent -config=%s/config-init.hcl", TokenFile, configVolumePath)
 	}
 
 	if a.Vault.TLSSecret != "" {

agent-inject/agent/container_sidecar.go

@@ -15,6 +15,7 @@ const (
 	DefaultResourceRequestCPU = "250m"
 	DefaultResourceRequestMem = "64Mi"
 	DefaultContainerArg       = "echo ${VAULT_CONFIG?} | base64 -d > /tmp/config.json && vault agent -config=/tmp/config.json"
+	DefaultAgentLogLevel      = "info"
 )
 
 // ContainerSidecar creates a new container to be added
@@ -41,7 +42,7 @@ func (a *Agent) ContainerSidecar() (corev1.Container, error) {
 			MountPath: configVolumePath,
 			ReadOnly:  true,
 		})
-		arg = fmt.Sprintf("vault agent -config=%s/config.hcl", configVolumePath)
+		arg = fmt.Sprintf("touch %s && vault agent -config=%s/config.hcl", TokenFile, configVolumePath)
 	}
 
 	if a.Vault.TLSSecret != "" {

agent-inject/agent/container_sidecar_test.go

@@ -30,18 +30,27 @@ func TestContainerSidecar(t *testing.T) {
 		t.Errorf("creating container sidecar failed, it shouldn't have: %s", err)
 	}
 
-	if len(container.Env) != 1 {
-		t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), 1)
+	expectedEnvs := 2
+	if len(container.Env) != expectedEnvs {
+		t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), expectedEnvs)
 	}
 
-	if container.Env[0].Name != "VAULT_CONFIG" {
-		t.Errorf("env name wrong, should have been %s, got %s", "VAULT_CONFIG", container.Env[0].Name)
+	if container.Env[0].Name != "VAULT_LOG_LEVEL" {
+		t.Errorf("env name wrong, should have been %s, got %s", "VAULT_LOG_LEVEL", container.Env[0].Name)
 	}
 
 	if container.Env[0].Value == "" {
 		t.Error("env value empty, it shouldn't be")
 	}
 
+	if container.Env[1].Name != "VAULT_CONFIG" {
+		t.Errorf("env name wrong, should have been %s, got %s", "VAULT_CONFIG", container.Env[1].Name)
+	}
+
+	if container.Env[1].Value == "" {
+		t.Error("env value empty, it shouldn't be")
+	}
+
 	if len(container.Args) != 1 {
 		t.Errorf("wrong number of args, got %d, should have been %d", len(container.Args), 1)
 	}
@@ -104,11 +113,12 @@ func TestContainerSidecarConfigMap(t *testing.T) {
 		t.Errorf("creating container sidecar failed, it shouldn't have: %s", err)
 	}
 
-	if len(container.Env) != 0 {
-		t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), 0)
+	expectedEnvs := 1
+	if len(container.Env) != expectedEnvs {
+		t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), expectedEnvs)
 	}
 
-	arg := fmt.Sprintf("vault agent -config=%s/config.hcl", configVolumePath)
+	arg := fmt.Sprintf("touch %s && vault agent -config=%s/config.hcl", TokenFile, configVolumePath)
 	if container.Args[0] != arg {
 		t.Errorf("arg value wrong, should have been %s, got %s", arg, container.Args[0])
 	}

subcommand/injector/command.go

@@ -27,16 +27,16 @@ import (
 type Command struct {
 	UI cli.Ui
 
-	flagListen       	string // Address of Vault Server
-	flagLogLevel     	string // Log verbosity
-	flagLogFormat    	string // Log format
-	flagCertFile     	string // TLS Certificate to serve
-	flagKeyFile      	string // TLS private key to serve
-	flagAutoName     	string // MutatingWebhookConfiguration for updating
-	flagAutoHosts    	string // SANs for the auto-generated TLS cert.
-	flagVaultService 	string // Name of the Vault service
-	flagVaultImage   	string // Name of the Vault Image to use
-	flagVaultAuthPath	string // Mount Path of the Vault Kubernetes Auth Method
+	flagListen        string // Address of Vault Server
+	flagLogLevel      string // Log verbosity
+	flagLogFormat     string // Log format
+	flagCertFile      string // TLS Certificate to serve
+	flagKeyFile       string // TLS private key to serve
+	flagAutoName      string // MutatingWebhookConfiguration for updating
+	flagAutoHosts     string // SANs for the auto-generated TLS cert.
+	flagVaultService  string // Name of the Vault service
+	flagVaultImage    string // Name of the Vault Image to use
+	flagVaultAuthPath string // Mount Path of the Vault Kubernetes Auth Method
 
 	flagSet *flag.FlagSet