-
Notifications
You must be signed in to change notification settings - Fork 3
/
secret-reader.yml
66 lines (63 loc) · 1.8 KB
/
secret-reader.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
---
apiVersion: v1
kind: ConfigMap
metadata:
name: secrets-reader-configmap
data:
entrypoint.sh: |-
#!/bin/bash
yum install -y curl wget epel-release
yum install -y jq
export VAULT_TOKEN=$(curl -sk -XPOST -d "{\"jwt\": \"$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\", \"role\": \"demo-role\"}" ${VAULT_ADDR}/v1/auth/kubernetes/login | jq -r '.auth.client_token')
curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/kv/data/ct_key | jq -r '.data.data.key' | base64 -d > /tmp/whatever/our-key.pem
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: secrets-reader-deployment
labels:
app: secrets-reader
spec:
replicas: 1
selector:
matchLabels:
app: secrets-reader
template:
metadata:
labels:
app: secrets-reader
spec:
serviceAccount: phil
volumes:
- name: workdir
emptyDir: {}
- name: configmap-reader-volume
configMap:
defaultMode: 0700
name: secrets-reader-configmap
initContainers:
- name: init-reader
image: pgporada/vault
command:
- /bin/entrypoint.sh
env:
- name: VAULT_ADDR
value: "http://192.168.1.142:8200"
volumeMounts:
- name: workdir
mountPath: "/tmp/whatever"
- name: configmap-reader-volume
mountPath: /bin/entrypoint.sh
readOnly: true
subPath: entrypoint.sh
containers:
- name: reader
image: centos
command: ['sh', '-c', 'echo The app is running! && sleep 3600']
env:
- name: VAULT_ADDR
value: "http://192.168.1.142:8200"
volumeMounts:
- name: workdir
mountPath: /tmp/whatever
...