deploy/dev/config/k8s/secrets-provider-init-push-to-file.sh.yml
#!/bin/bash
set -euo pipefail
CONJUR_AUTHN_LOGIN=${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}
cat << EOL
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-env
name: test-env
spec:
replicas: 1
selector:
matchLabels:
app: test-env
template:
metadata:
labels:
app: test-env
annotations:
conjur.org/authn-identity: '$CONJUR_AUTHN_LOGIN'
conjur.org/container-mode: init
conjur.org/secrets-destination: file
conjur.org/log-level: "debug"
conjur.org/retry-count-limit: "6"
conjur.org/retry-interval-sec: "2"
conjur.org/conjur-secrets.group1: |
- url: secrets/url
- username: secrets/username
- password: secrets/password
- encoded: secrets/encoded
content-type: base64
conjur.org/conjur-secrets-policy-path.group2: secrets
conjur.org/conjur-secrets.group2: |
- url: url
- username: username
- password: password
- still_encoded: encoded
content-type: text
conjur.org/secret-file-format.group2: json
conjur.org/conjur-secrets-policy-path.group3: secrets
conjur.org/secret-file-path.group3: some-dotenv.env
conjur.org/conjur-secrets.group3: |
- url: url
- username: username
- password: password
conjur.org/secret-file-format.group3: dotenv
conjur.org/conjur-secrets.group4: |
- url: secrets/url
- username: secrets/username
- password: secrets/password
conjur.org/secret-file-format.group4: bash
conjur.org/secret-file-path.group5: group5.template
conjur.org/conjur-secrets.group5: |
- username: secrets/username
- password: secrets/password
conjur.org/secret-file-template.group5: |
username | {{ secret "username" }}
password | {{ secret "password" }}
conjur.org/secret-file-format.group5: template
# Group 6 is a simple example of fetching all secrets available to the host.
conjur.org/conjur-secrets.group6: "*"
conjur.org/secret-file-format.group6: json
# For group 7, fetch all using "*" in the YAML list format.
# We use a template that encodes the secret values to base64.
conjur.org/conjur-secrets.group7: |
- "*"
conjur.org/secret-file-template.group7: |
{{range .SecretsArray}}{{ .Alias }}: {{ .Value | b64enc }}{{ "\n" }}{{end}}
conjur.org/secret-file-format.group7: template
conjur.org/secret-file-path.group7: group7.template
# For Group 8, we fetch all secrets using "*" in the YAML list format but with
# base64 encoding. This should decode any base64 encoded secrets.
conjur.org/conjur-secrets.group8: |
- "*": "*"
content-type: base64
conjur.org/secret-file-format.group8: yaml
# If using Jaeger for tracing, uncomment the following line
# conjur.org/jaeger-collector-url: http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces
spec:
containers:
- image: debian
name: test-app
command: ["sleep"]
args: ["infinity"]
volumeMounts:
- mountPath: /opt/secrets/conjur
name: conjur-secrets
readOnly: true
initContainers:
- image: 'secrets-provider-for-k8s:latest'
imagePullPolicy: Never
name: cyberark-secrets-provider-for-k8s
volumeMounts:
- mountPath: /conjur/secrets
name: conjur-secrets
- mountPath: /conjur/podinfo
name: podinfo
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONJUR_APPLIANCE_URL
value: ${CONJUR_APPLIANCE_URL}
- name: CONJUR_AUTHN_URL
value: ${CONJUR_AUTHN_URL}
- name: CONJUR_ACCOUNT
value: ${CONJUR_ACCOUNT}
- name: CONJUR_SSL_CERTIFICATE
valueFrom:
configMapKeyRef:
name: conjur-master-ca-env
key: ssl-certificate
imagePullSecrets:
- name: dockerpullsecret
volumes:
- emptyDir:
medium: Memory
name: conjur-secrets
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
name: podinfo
---
apiVersion: v1
kind: ConfigMap
metadata:
name: conjur-master-ca-env
labels:
app: test-env
data:
ssl-certificate: |
$(echo "${CONJUR_SSL_CERTIFICATE}" | while read line; do printf "%20s%s\n" "" "$line"; done)
EOL