Giters

richardcase / vault-initializer

Kubernetes Initializer for Vault Secrets

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

gokubernetesvault

Vault Initializer Build Status Go Report Card License

Vault Initializer is a Kubernetes Initializer that injects secrets from Vault into a container when a deployment is created. It currently supports 2 ways to publish secrets into a container:

  • Environment Variables
  • A Kubernetes secret (automatically created) which is then mounted as a volume automatically into the POD.

This isn't production ready yet. If you would like to help making in production production ready then see the contributing guide

Getting Started

You need Kubernetes 1.7.0+. If you want to use minikube you can use the following to spin up a cluster:

minikube start --extra-config=apiserver.Admission.PluginNames="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota" --kubernetes-version=v1.8.0

Edit and deploy the initializer config:

kubectl create -f kube/configmaps/vault-initializer.yaml

Edit the vault token in the secrets file and deploy:

kubectl create -f kube/secrets/vault-initializer.yaml

Only the token authentication backend is currently supported for Vault

The Vault Initializer controller needs to be deployed to the cluster:

kubectl create -f kube/deployments/vault-initializer.yaml

Now create the Kuberenetes initialzer for deployments:

kubectl create -f kube/initializer-config/vault.yaml

Now when you create a deployment the Vault initializer will be invoked. For example you can deploy a test app that dumps environment variables to the logs:

kubectl create -f kube/deployments/envprinter.yaml

Vault Naming Conventions

When the initializer runs it will look for secrets using the following convention:

secret/{deploymentnamespace}/{containername}

For all the secrets in the following path it will inject an enviroment variable or an entry in a JSON config file into the container with the name of the secret and who's value is the value of the secret.

This is controlled using the following template:

vaultPathPattern: /v1/secret/{{.Namespace}}/{{.ContainerName}}

For example, if we create a secret using the following:

vault write secret/default/envprinter mysecret=Password123

An environment variable named mysecret will be injected into a container named envprinter when the deployment namespace is defaul.

Contributing

If you would like to contribute see the guide.

About

Kubernetes Initializer for Vault Secrets

gokubernetesvault

License:Apache License 2.0

Languages

Language:Go 95.0%Language:Makefile 2.9%Language:Shell 2.0%