This repository has been archived by the owner on Nov 28, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16
/
app-job-2-proxy.yaml
84 lines (80 loc) · 2.9 KB
/
app-job-2-proxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
apiVersion: v1
kind: ServiceAccount
metadata:
name: job-sa
namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: job-pod-status
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: job-pod-status
subjects:
- kind: ServiceAccount
name: job-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: job-pod-status
---
apiVersion: batch/v1
kind: Job
metadata:
name: app2-job
namespace: default
spec:
backoffLimit: 1
template:
metadata:
annotations:
sidecar.vault.talend.org/inject: "true"
sidecar.vault.talend.org/mode: "proxy,job" # Enable only 'proxy' and 'job' modes
# Vault Sidecar Injector receive the pod spec: don't know whether it is a job or a deployment.
# Annotation below is deprecated, use 'sidecar.vault.talend.org/mode' instead.
#sidecar.vault.talend.org/workload: "job"
labels:
com.talend.application: test
spec:
restartPolicy: Never
# custom serviceAccountName with role allowing to perform GET on pods (needed to poll for job's pod status)
serviceAccountName: job-sa
containers:
- name: app2-job-container
image: everpeace/curl-jq
command:
- "sh"
- "-c"
- |
set -e
echo "Job started"
echo "Now using Vault Agent as a proxy to leverage Encryption as a Service feature"
echo "Advantage: you do not need to deal with any Vault tokens and you just have to send requests to the local Vault Agent sidecar (available at 127.0.0.1) that will then forward everything to Vault server."
echo
isVaultReady=$(curl -s -X GET http://127.0.0.1:8200/v1/sys/health | jq --raw-output .initialized)
while [ "$isVaultReady" != "true" ];do
sleep 5
isVaultReady=$(curl -s -X GET http://127.0.0.1:8200/v1/sys/health | jq --raw-output .initialized)
done
plaintext="Secret data to protect"
echo "Data that is going to be ciphered and deciphered: $plaintext"
echo
b64Plaintext=$(echo "$plaintext" | base64)
ciphertext=$(curl -s -X POST --data "{\"plaintext\": \"$b64Plaintext\"}" http://127.0.0.1:8200/v1/transit/encrypt/test-key | jq --raw-output .data.ciphertext)
echo "Ciphertext"
echo "=========="
echo "$ciphertext"
echo
cleartext=$(curl -s -X POST --data "{\"ciphertext\": \"$ciphertext\"}" http://127.0.0.1:8200/v1/transit/decrypt/test-key | jq --raw-output .data.plaintext)
echo "Cleartext"
echo "=========="
echo "$cleartext" | base64 -d
echo
echo "Job stopped"