README
¶
Vault-webhook
Mutating webhook that injects the Vault-Creds sidecar into pods on pod creation using a custom resource for configuration.
Note: vault-webhook will only inject sidecar into pods which are in namespace labelled with vault-webhook=enabled.
Usage
The webhook will do four things:
- Add a volume called
vault-credsthis is where you will find your credentials - VolumeMount the
vault-credsvolume into your existing containers - Add an init-container called
vault-creds-<database-role>-init - Add a container called
vault-creds-<database-role>
It does this by checking the service account on your pod against custom resources called DatabaseCredentialBindings. This resource links your ServiceAccount to a Database and role Example DatabaseCredentialBinding:
---
apiVersion: vaultwebhook.uswitch.com/v1alpha1
kind: DatabaseCredentialBinding
metadata:
name: mybinding
namespace: mynamespace
spec:
serviceAccount: my_service_account
database: mydb
role: readonly
outputPath: /config #Optional: defaults to /etc/database
outputFile: mycreds #Optional: defaults to database-role
The webhook expects there to be a volume called vault-template already there, this volume should be a configmap and it should contain a file called database-role e.g mydb-readonly which will be used for templating your credentials. It will output the credentials to a file called /etc/database/database-role in the vault-creds volume. Note that the path where the file is found and the name of the file can be changed using the outputPath and outputFile fields in the CRD respectively.
Example Deployment:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: mynamespace
spec:
replicas: 1
template:
metadata:
spec:
serviceAccountName: my_service_account
containers:
- name: myapp
args:
- --db-creds=/etc/database/mydb-readonly
volumes:
- name: vault-template
configMap:
name: my-template
Args
usage: vault-webhook-linux-amd64 --vault-address=VAULT-ADDRESS --login-path=LOGIN-PATH --sidecar-image=SIDECAR-IMAGE [<flags>]
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--vault-address=VAULT-ADDRESS URL of vault
--vault-ca-path=VAULT-CA-PATH Path to the CA cert for vault
--login-path=LOGIN-PATH Kubernetes auth login path for vault
--sidecar-image=SIDECAR-IMAGE Vault-creds sidecar image to use
--gateway-address=GATEWAY-ADDRESS
URL of Push Gateway
--secret-path-format="%s/creds/%s"
The format for the path used for reading database credentials, where the first %s is the database name and the second %s is the role
--server-address=":8443" The address the webhook server will listen on.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
apis/vaultwebhook.uswitch.com/v1alpha1
Package v1alpha1 is the v1alpha1 version of the API.
|
Package v1alpha1 is the v1alpha1 version of the API. |
|
client/clientset/versioned
This package has the automatically generated clientset.
|
This package has the automatically generated clientset. |
|
client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
client/clientset/versioned/typed/vaultwebhook.uswitch.com/v1alpha1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
client/clientset/versioned/typed/vaultwebhook.uswitch.com/v1alpha1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |