README
¶
KRM Filter - Annotate
Generate kubernetes secrets from azure vault
This function fetches secrets, defined by a client side custom resource, from azure vault and generates kubernetes secrets from it.
Auth
The function requires either service principal credentials or a id token.
Service Principal
export AZURE_TENANT_ID=
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=
export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=
Access Token
export AAD_ACCESS_TOKEN="$(az account get-access-token \
--resource https://vault.azure.net --scope https://vault.azure.net/.default \
--query accessToken --output tsv)"
Examples
The function config is a simple configmap-like object to control the behavior of the generator.
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-secrets
data:
mode: azure # can also be 'file-mock', reading secrets from $FILE_MOCK_DATA_DIR
fs: disk # fs can also be memory, not caching secrets to disk
The actual secrets are generated from resources of kind AzureVaultSource.
apiVersion: bluebrown.github.io/v1alpha1
kind: AzureVaultSource
metadata:
name: env-file
annotations:
config.kubernetes.io/local-config: "true"
spec:
# the name of the secret in kubernetes, to create
secretName: env-file
# list of container targets to inject the secret
# as envFrom secret ref
containerTargets:
- myapp
# the vault uri as written in the azure portal
vaultUri: https://krmtest.vault.azure.net/
# list of secrets to retrieve from the vault
vaultSecrets:
- secret: my-env-file #the secret name in the vault
version: "" # uses 'latest', if empty
key: env # the key is the secret name, if empty
# optional go template to format the secrets
# if not provided, secrets are rendered as key value pairs
stringDataTemplate: |
{{ envToYaml .env }}
Run the function as standalone providing the function config and resources.
azure-vault-secrets fn-config.yaml - < resources.yaml
Documentation
¶
Index ¶
Constants ¶
View Source
const ( KindPod = "Pod" KindSecret = "Secret" KindVaultSource = "AzureVaultSource" )
Variables ¶
View Source
var TemplateRenderer = tpl()
Functions ¶
func Processor ¶
func Processor() framework.ResourceListProcessorFunc
Types ¶
type AzureVaultSourceCRD ¶
type AzureVaultSourceCRD struct {
Spec AzureVaultSourceSpec `json:"spec,omitempty"`
}
type AzureVaultSourceSpec ¶
type AzureVaultSourceSpec struct {
VaultUri string `json:"vaultUri" yaml:"vaultUri"`
VaultSecrets []secrets.VaultSecret `json:"vaultSecrets" yaml:"vaultSecrets"`
ContainerTargets []string `json:"containerTargets" yaml:"containerTargets"`
SecretName string `json:"secretName" yaml:"secretName"`
Template *string `json:"stringDataTemplate" yaml:"stringDataTemplate"`
}
type FunctionConfig ¶
type FunctionConfig struct {
Data Data `json:"data,omitempty"`
}
type HasSecretRef ¶
type Namespaces ¶
type Namespaces map[string]struct{}
type SecretGenerator ¶
type SecretGenerator struct {
Kind string `yaml:"kind,omitempty" json:"kind,omitempty"`
Namespaces Namespaces `json:"namespaces,omitempty"`
SecretName string `json:"secret_name,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
Labels map[string]string `json:"labels,omitempty"`
StringData map[string]string `json:"string_data,omitempty"`
Template *string `json:"template,omitempty"`
}
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.