developer-guy

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-secrets
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: hello-secrets
  template:

developer-guy

# Next, install the mutating webhook with Helm into its own namespace (to bypass the catch-22 situation of self mutation)
$ helm upgrade --namespace vault-infra --install vault-secrets-webhook banzaicloud-stable/vault-secrets-webhook --wait
Release "vault-secrets-webhook" does not exist. Installing it now.
NAME: vault-secrets-webhook
LAST DEPLOYED: Mon Mar 29 13:32:21 2021
NAMESPACE: vault-infra
STATUS: deployed
REVISION: 1
TEST SUITE: None

developer-guy

# Set the Vault token from the Kubernetes secret
# (strictly for demonstrative purposes, we have K8s unsealing in cr.yaml)
$ export VAULT_TOKEN=$(kubectl get secrets vault-unseal-keys -o jsonpath={.data.vault-root} | base64 --decode)

# Tell the CLI that the Vault Cert is signed by a custom CA
$ kubectl get secret vault-tls -o jsonpath="{.data.ca\.crt}" | base64 --decode > $PWD/vault-ca.crt
$ export VAULT_CACERT=$PWD/vault-ca.crt

# Tell the CLI where Vault is listening (the certificate has 127.0.0.1 as well as alternate names)
$ export VAULT_ADDR=https://127.0.0.1:8200

developer-guy

# Create a Vault instance with the operator which has the Kubernetes auth method configured
$ git clone https://github.com/developer-guy/inject-secrets-from-vault-to-pod-using-vault-env

$ cd inject-secrets-from-vault-to-pod-using-vault-env

# Create necessary RBAC
$ kubectl apply -f rbac.yaml
serviceaccount/vault created
role.rbac.authorization.k8s.io/vault created
rolebinding.rbac.authorization.k8s.io/vault created

developer-guy

apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
  name: "vault"
spec:
  size: 1
  image: vault:1.6.2
  # specify a custom bank-vaults image with bankVaultsImage:
  # bankVaultsImage: ghcr.io/banzaicloud/bank-vaults:latest

developer-guy

# Add the Banzai Cloud Helm repository
$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
"banzaicloud-stable" has been added to your repositories

# Create a namespace for the bank-vaults components called vault-infra
$ kubectl create namespace vault-infra
namespace/vault-infra created

# Namespace labeling is required, because the webhook's mutation is based on label selectors
$ kubectl label namespace vault-infra name=vault-infra

developer-guy

$ minikube version
minikube version: v1.18.1
commit: 09ee84d530de4a92f00f1c5dbc34cead092b95bc
$ minikube config view
- cpus: 3
- memory: 8192
- vm-driver: virtualbox
$ minikube start
😄minikube v1.18.1 on Darwin 10.15.7
✨  Using the virtualbox driver based on user configuration

developer-guy

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
  - name: command-demo-container
    image: debian

developer-guy

package main

import (
	"encoding/json"
	"log"
	"os"

	"github.com/google/go-containerregistry/pkg/authn"
	"github.com/google/go-containerregistry/pkg/name"
	"github.com/google/go-containerregistry/pkg/v1/remote"

developer-guy

env:
 - name: BAR
   value: consul://foo/bar
 - name: FOO
   value: vault://data/bar/foo