-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvault-webhook-base.yaml
144 lines (138 loc) · 4.47 KB
/
vault-webhook-base.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Base Deployment for HashiCorp Vault example with Banzai secret webhook
# Deploys the following containers
# - init container: with a dummy echo statement
# - base container: named "showcase", executes a script, stored in ConfigMap and appends some logs
# - sidecar container: named "showcase-sidecar", tail/follows the log file
#
# The app binds a Secret as env variable and file mount. This show cases the circumstance,
# that mounted secrets will be updated, env however not
#
# Difference to HashiCorp Vault specifica
# - Using annotation to inject the secrets directly from Vault
# - using service accounts to interact with Vault, service account is bound to a Vault role and policy
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-system-a-dev
namespace: vault-test3
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-system-b-dev
namespace: vault-test3
---
# Grant TokenReview permission to service account to allow verify of the token
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: sa-system-a-dev-test-vault-role-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: sa-system-a-dev
namespace: vault-test3
---
apiVersion: v1
kind: Secret
metadata:
name: vault-demo-creds-01
namespace: vault-test3
stringData:
username: dummy
password: dummy-value
---
apiVersion: v1
kind: ConfigMap
metadata:
name: showcase-vault-webhook-scripts
namespace: vault-test3
data:
secrets-output.sh: |
echo "secrets-output.sh script"
while [ true ]; do
echo "$(date '+%Y-%m-%d %H:%M:%S'): [From Main container] ...waiting..." >> /logs/test.log;
echo "[Main container] ...waiting..."
echo "Env:"
env | grep -i db
echo "-------------------------------------------"
sleep 15
done;
---
apiVersion: v1
kind: Secret
metadata:
name: vault-demo-webhook-secret
namespace: vault-test3
annotations:
# the address of the Vault service, default values is https://vault:8200
vault.security.banzaicloud.io/vault-addr: "http://hashicorp-vault.vault-backend:8200"
# the default value is the name of the ServiceAccount the Pod runs in, in case of Secrets and ConfigMaps it is "default"
vault.security.banzaicloud.io/vault-role: "role-system-a-dev"
vault.security.banzaicloud.io/vault-skip-verify: "true"
#vault.security.banzaicloud.io/vault-agent: "true"
vault.security.banzaicloud.io/vault-serviceaccount: sa-system-a-dev
stringData:
username: dummy
password: vault:secret/data/dev/system-a#db_password
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: showcase-vault-webhook-deployment
namespace: vault-test3
labels:
app: showcase-vault-webhook
spec:
replicas: 1
selector:
matchLabels:
app: showcase-vault-webhook
template:
metadata:
labels:
app: showcase-vault-webhook
annotations:
# the address of the Vault service, default values is https://vault:8200
vault.security.banzaicloud.io/vault-addr: "http://hashicorp-vault.vault-backend:8200"
# the default value is the name of the ServiceAccount the Pod runs in, in case of Secrets and ConfigMaps it is "default"
vault.security.banzaicloud.io/vault-role: "role-system-a-dev"
vault.security.banzaicloud.io/vault-skip-verify: "true"
#vault.security.banzaicloud.io/vault-agent: "true"
spec:
# Specific sa, relevant for Vault interaction
serviceAccountName: sa-system-a-dev
containers:
- name: showcase-vault-webhook
image: busybox:1.28
command: ['sh', '-c', '/scripts/secrets-output.sh']
env:
- name: DB_USERID
value: vault:secret/data/dev/system-a#db_userid
- name: DB_PASSWORD
value: vault:secret/data/dev/system-a#db_password
volumeMounts:
# Mount for the logs, shared with sidecar
- name: logs
mountPath: /logs
# Mount from ConfigMap holding a script
- name: showcase-scripts-configmap
mountPath: /scripts
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "64Mi"
cpu: "250m"
volumes:
- name: logs
emptyDir: {}
- name: showcase-scripts-configmap
configMap:
name: showcase-vault-webhook-scripts
defaultMode: 0777