deploy/dev/config/k8s/secrets-provider-init-container.sh.yml
#!/bin/bash
set -euo pipefail
CONJUR_AUTHN_LOGIN=${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}
cat << EOL
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-env
name: test-env
spec:
replicas: 1
selector:
matchLabels:
app: test-env
template:
metadata:
labels:
app: test-env
spec:
serviceAccountName: ${APP_NAMESPACE_NAME}-sa
containers:
- image: debian
name: test-app
command: ["sleep"]
args: ["infinity"]
env:
- name: TEST_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: secret
- name: SSH_KEY
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: ssh_key
- name: JSON_OBJECT_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: json_object_secret
- name: VARIABLE_WITH_SPACES_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_spaces
- name: VARIABLE_WITH_PLUSES_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_pluses
- name: VARIABLE_WITH_UMLAUT_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_umlaut
- name: VARIABLE_WITH_BASE64_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: var_with_base64
- name: NON_CONJUR_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret
key: non-conjur-key
- name: FETCH_ALL_TEST_SECRET
valueFrom:
secretKeyRef:
name: test-k8s-secret-fetch-all
key: secrets.test_secret
- name: FETCH_ALL_BASE64
valueFrom:
secretKeyRef:
name: test-k8s-secret-fetch-all-base64
key: secrets.encoded
initContainers:
- image: 'secrets-provider-for-k8s:latest'
imagePullPolicy: Never
name: cyberark-secrets-provider-for-k8s
env:
- name: CONTAINER_MODE
value: init
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONJUR_APPLIANCE_URL
value: ${CONJUR_APPLIANCE_URL}
- name: CONJUR_AUTHN_URL
value: ${CONJUR_AUTHN_URL}
- name: CONJUR_ACCOUNT
value: ${CONJUR_ACCOUNT}
- name: CONJUR_SSL_CERTIFICATE
valueFrom:
configMapKeyRef:
name: conjur-master-ca-env
key: ssl-certificate
- name: K8S_SECRETS
value: test-k8s-secret,test-k8s-secret-fetch-all,test-k8s-secret-fetch-all-base64
- name: SECRETS_DESTINATION
value: k8s_secrets
- name: LOG_LEVEL
value: "debug"
- name: CONJUR_AUTHN_LOGIN
value: ${CONJUR_AUTHN_LOGIN}
# If using Jaeger for tracing, uncomment the following lines
# - name: JAEGER_COLLECTOR_URL
# value: http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces
imagePullSecrets:
- name: dockerpullsecret
---
apiVersion: v1
kind: ConfigMap
metadata:
name: conjur-master-ca-env
labels:
app: test-env
data:
ssl-certificate: |
$(echo "${CONJUR_SSL_CERTIFICATE}" | while read line; do printf "%20s%s\n" "" "$line"; done)
EOL