Created
July 18, 2019 15:34
-
-
Save stackdumper/b9592d4be4c39e0dbb41aaf81a653c00 to your computer and use it in GitHub Desktop.
vault-to-env - Kubernetes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1beta2 | |
| kind: Deployment | |
| metadata: | |
| name: vte-example | |
| labels: | |
| app: vte-example | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: vte-example | |
| template: | |
| metadata: | |
| labels: | |
| app: vte-example | |
| spec: | |
| # important: configure serviceAccountName | |
| serviceAccountName: app | |
| volumes: | |
| - name: "creds" | |
| emptyDir: {} | |
| initContainers: | |
| # runs before the primary container | |
| # and generates a set of required credentials | |
| - name: vte | |
| image: stackdumper/vault-to-env:1.2.0 | |
| imagePullPolicy: Always | |
| args: | |
| # read db user and pass, adjust lease to 3600 seconds, save leases | |
| # generates variables DB_USER, DB_PASS, DB_USER_LEASE_ID, DB_PASS_LEASE_ID (last two are actually equal) | |
| # output variables into /etc/creds/creds.sh | |
| - | | |
| vte read \ | |
| --auth-path /auth/kubernetes/login \ | |
| --auth-data jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) \ | |
| --auth-data role=app \ | |
| --vars DB_USER=database/creds/app#username \ | |
| --vars DB_PASS=database/creds/app#password \ | |
| --lease-duration 3600 \ | |
| --save-leases \ | |
| > /etc/creds/creds.sh | |
| # important: configure vault address | |
| env: | |
| - name: VAULT_ADDR | |
| value: https://vault.example.com | |
| # important: attach mount with creds | |
| volumeMounts: | |
| - mountPath: /etc/creds | |
| name: creds | |
| containers: | |
| # main application container | |
| - name: main-container | |
| image: busybox | |
| command: | |
| - "/bin/sh" | |
| - "-c" | |
| args: | |
| - | | |
| while true; do \ | |
| cat /etc/creds/creds.sh; \ | |
| sleep 300; \ | |
| done | |
| imagePullPolicy: IfNotPresent | |
| volumeMounts: | |
| # important: attach mount with creds | |
| - mountPath: /etc/creds | |
| name: creds | |
| # sidecar container that renews leases | |
| - name: vte-sidecar | |
| image: stackdumper/vault-to-env:1.2.0 | |
| imagePullPolicy: Always | |
| args: | |
| # renew leases for 60 minutes every 30 minutes | |
| - | | |
| source /etc/creds/creds.sh && \ | |
| sleep 1800 && while true; do \ | |
| vte renew \ | |
| --auth-path /auth/kubernetes/login \ | |
| --auth-data jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) \ | |
| --auth-data role=app \ | |
| --leases $DB_USER_LEASE_ID \ | |
| --leases $DB_PASS_LEASE_ID \ | |
| --duration 3600; echo "successfully renewed leases"; \ | |
| sleep 1800; \ | |
| done | |
| env: | |
| - name: VAULT_ADDR | |
| value: https://vault.example.com | |
| volumeMounts: | |
| - mountPath: /etc/creds | |
| name: creds |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment