Vault 'agent-inject-template' annotation throwing error

Question

I want to update my existing vault 'agent-inject-template' annotation to support the 'export' option as mentioned in the official doc.

Kubernetes version - 1.21

Current working template

        {{- range $value := $.Values.vault.secrets }}
        {{- $secretName := regexFind "[^/]+$" $value }}
        vault.hashicorp.com/agent-inject-secret-{{ $secretName }}: {{ $value | quote }}
        vault.hashicorp.com/agent-inject-template-{{ $secretName }}: |
          {{`{{- with secret `}}{{ $value | quote }}{{` -}}
              {{ .Data.data | toJSON }}
          {{- end }}`}}
        {{- end }}

Current value.yaml

vault:
  enabled: true
  secrets:
    - path/to/secret/database

Results in /vault/secrets/database

{"host":"example.us-east-1.rds.amazonaws.com","port":5432,"user":"postgres"}

What I have tried

helm template

        {{- range $value := $.Values.vault.secrets }}
        {{- $secretName := regexFind "[^/]+$" .path }}
        vault.hashicorp.com/agent-inject-template-{{ $secretName }}: |
          {{`{{- with secret `}}{{ .path | quote }}{{` -}}
          {{ .Data.data | toJSON }}
          {{- if .exports }}
          {{- range $key, $value := .exports }}
          export {{ $key }}={{ .Data.data.$value }}
          {{- end }}
          {{- end }}
          {{- end }}`}}

values file

vault:
  enabled: false
  secrets:
    - path: path/to/secret/database
      exports:
        DB_HOST: host
        DB_PORT: port 
    - path: path/to/secret/redis
      exports:
        REDIS_HOST: host
        REDIS_PORT: port 

The error I am getting

│ vault-agent-init [INFO] (runner) starting                                                                                                         │
│ vault-agent-init  [ERROR] template.server: template server error: error="(dynamic): parse: template: :5: bad character U+0024 '$'"                 │
│ vault-agent-init [INFO] (runner) stopping                                                                                                         │
│ vault-agent-init [INFO]  template.server: template server stopped                                                                                 │
│ vault-agent-init [INFO]  auth.handler: shutdown triggered, stopping lifetime watcher                                                              │
│ vault-agent-init [INFO]  auth.handler: auth handler stopped                                                                                       │
│ vault-agent-init [ERROR] runtime error encountered: error="template server: (dynamic): parse: template: :5: bad character U+0024 '$'"             │
│ vault-agent-init Error encountered during run, refer to logs for more details.                                                                                             │
│ Stream closed EOF for service-example/example-generic-internal-xxx-xxx (vault-agent-init)                                                       

Answer 1

I have a simplified example on how I handle it. Maybe that will help you. Basically, I just put {{ $value }} in single quotes, therefore special characters are being parsed as text.

vault.hashicorp.com/agent-inject-secret-x: dev/secrets/data/path/x
vault.hashicorp.com/agent-inject-template-x: |
  {{- with secret "dev/secrets/data/path/x" -}}
  {{- range $key, $value := .Data.data }}
  export {{ $key }}='{{ $value }}'
  {{- end }}
  {{- end -}}

In your case, error message shows it cannot parse '$', which you don't have in your secret, what tells that the issue is in your config.