Sign upLogin

cyberark/secrets-provider-for-k8s

View on GitHub
Star
assets/k8s-rotation.yaml

Summary

Maintainability
Test Coverage
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-app
  name: test-app
  namespace: test-app-namespace
spec:
  selector:
    matchLabels:
      app: test-app
  replicas: 1
  template:
    metadata:
      annotations:
        conjur.org/secrets-refresh-enabled: "true"
        conjur.org/secrets-refresh-interval: 10s
      labels:
        app: test-app
    spec:
      serviceAccountName: test-app-sa
      containers:
      - name: test-app
        image: ubuntu:latest
        command: [ "sleep" ]
        args: [ "infinity" ]
        env:
          - name: DB_USERNAME
            valueFrom:
              secretKeyRef:
                name: test-app-secrets-provider-k8s-secret
                key: DB_USERNAME
          - name: DB_PASSWORD
            valueFrom:
              secretKeyRef:
                name: test-app-secrets-provider-k8s-secret
                key: DB_PASSWORD
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - all
      - image: cyberark/secrets-provider-for-k8s:latest
        imagePullPolicy: Always
        name: cyberark-secrets-provider-for-k8s
        env:
          - name: CONJUR_AUTHN_LOGIN
            value: host/conjur/authn-k8s/my-authenticator-id/apps/test-app
          - name: CONTAINER_MODE
            value: sidecar
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: MY_POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: K8S_SECRETS
            value: test-app-secrets-provider-k8s-secret
          - name: SECRETS_DESTINATION
            value: k8s_secrets
        envFrom:
          - configMapRef:
              name: conjur-connect
        volumeMounts:
        - mountPath: /run/conjur
          name: conjur-access-token
        - mountPath: /etc/conjur/ssl
          name: conjur-certs
        - mountPath: /conjur/podinfo
          name: podinfo
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - all
      volumes:
      - emptyDir:
          medium: Memory
        name: conjur-access-token
      - emptyDir:
          medium: Memory
        name: conjur-certs
      - downwardAPI:
          defaultMode: 420
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.annotations
            path: annotations
        name: podinfo