deploy/config/k8s/test-env-k8s-rotation.sh.yml
#!/bin/bash
set -euo pipefail
CONJUR_AUTHN_LOGIN=${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}
cat << EOL
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-env
name: test-env
spec:
replicas: 1
selector:
matchLabels:
app: test-env
template:
metadata:
labels:
app: test-env
annotations:
conjur.org/authn-identity: '$CONJUR_AUTHN_LOGIN'
conjur.org/container-mode: "sidecar"
conjur.org/secrets-refresh-enabled: "true"
conjur.org/secrets-refresh-interval: "10s"
conjur.org/secrets-destination: k8s_secrets
conjur.org/k8s-secrets: |
- test-k8s-secret
- test-k8s-secret-fetch-all
- test-k8s-secret-fetch-all-base64
conjur.org/log-level: "debug"
conjur.org/remove-deleted-secrets-enabled: "true"
spec:
serviceAccountName: ${APP_NAMESPACE_NAME}-sa
containers:
- image: '${PULL_DOCKER_REGISTRY_PATH}/${APP_NAMESPACE_NAME}/debian:latest'
name: test-app
command: ["sleep"]
args: ["infinity"]
livenessProbe:
exec:
command:
- /mounted/status/conjur-secrets-unchanged.sh
failureThreshold: 1
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- name: conjur-status
mountPath: /mounted/status
env:
- name: TEST_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: secret
- name: SSH_KEY
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: ssh_key
- name: JSON_OBJECT_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: json_object_secret
- name: VARIABLE_WITH_SPACES_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_spaces
- name: VARIABLE_WITH_PLUSES_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_pluses
- name: VARIABLE_WITH_UMLAUT_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_umlaut
- name: VARIABLE_WITH_BASE64_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_base64
- name: NON_CONJUR_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: non-conjur-key
- name: FETCH_ALL_TEST_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret-fetch-all
key: secrets.test_secret
- name: FETCH_ALL_BASE64
valueFrom:
secretKeyRef:
name: test-k8s-secret-fetch-all-base64
key: secrets.encoded
- image: '${PULL_DOCKER_REGISTRY_PATH}/${APP_NAMESPACE_NAME}/secrets-provider:latest'
imagePullPolicy: Always
name: cyberark-secrets-provider-for-k8s
lifecycle:
postStart:
exec:
command:
- /usr/local/bin/conjur-secrets-provided.sh
volumeMounts:
- mountPath: /conjur/podinfo
name: podinfo
- name: conjur-status
mountPath: /conjur/status
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONJUR_APPLIANCE_URL
value: ${CONJUR_APPLIANCE_URL}
- name: CONJUR_AUTHN_URL
value: ${CONJUR_AUTHN_URL}
- name: CONJUR_ACCOUNT
value: ${CONJUR_ACCOUNT}
- name: CONJUR_SSL_CERTIFICATE
valueFrom:
configMapKeyRef:
name: conjur-master-ca-env
key: ssl-certificate
- name: CONJUR_AUTHN_LOGIN
value: ${CONJUR_AUTHN_LOGIN}
imagePullSecrets:
- name: dockerpullsecret
volumes:
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
name: podinfo
- name: conjur-status
emptyDir:
medium: Memory
---
apiVersion: v1
kind: ConfigMap
metadata:
name: conjur-master-ca-env
labels:
app: test-env
data:
ssl-certificate: |
$(echo "${CONJUR_SSL_CERTIFICATE}" | while read line; do printf "%20s%s\n" "" "$line"; done)
EOL