cyberark/secrets-provider-for-k8s

View on GitHub
deploy/dev/config/k8s/secrets-provider-init-push-to-file.sh.yml

Summary

Maintainability
Test Coverage
#!/bin/bash
set -euo pipefail

CONJUR_AUTHN_LOGIN=${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}

cat << EOL
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-env
  name: test-env
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-env
  template:
    metadata:
      labels:
        app: test-env
      annotations:
        conjur.org/authn-identity: '$CONJUR_AUTHN_LOGIN'
        conjur.org/container-mode: init
        conjur.org/secrets-destination: file
        conjur.org/log-level: "debug"
        conjur.org/retry-count-limit: "6"
        conjur.org/retry-interval-sec: "2"
        conjur.org/conjur-secrets.group1: |
          - url: secrets/url
          - username: secrets/username
          - password: secrets/password
          - encoded: secrets/encoded
            content-type: base64
        conjur.org/conjur-secrets-policy-path.group2: secrets
        conjur.org/conjur-secrets.group2: |
          - url: url
          - username: username
          - password: password
          - still_encoded: encoded
            content-type: text
        conjur.org/secret-file-format.group2: json
        conjur.org/conjur-secrets-policy-path.group3: secrets
        conjur.org/secret-file-path.group3: some-dotenv.env
        conjur.org/conjur-secrets.group3: |
          - url: url
          - username: username
          - password: password
        conjur.org/secret-file-format.group3: dotenv
        conjur.org/conjur-secrets.group4: |
          - url: secrets/url
          - username: secrets/username
          - password: secrets/password
        conjur.org/secret-file-format.group4: bash
        conjur.org/secret-file-path.group5: group5.template
        conjur.org/conjur-secrets.group5: |
          - username: secrets/username
          - password: secrets/password
        conjur.org/secret-file-template.group5: |
          username | {{ secret "username" }}
          password | {{ secret "password" }}
        conjur.org/secret-file-format.group5: template
        # Group 6 is a simple example of fetching all secrets available to the host.
        conjur.org/conjur-secrets.group6: "*"
        conjur.org/secret-file-format.group6: json
        # For group 7, fetch all using "*" in the YAML list format.
        # We use a template that encodes the secret values to base64.
        conjur.org/conjur-secrets.group7: |
          - "*"
        conjur.org/secret-file-template.group7: |
          {{range .SecretsArray}}{{ .Alias }}: {{ .Value | b64enc }}{{ "\n" }}{{end}}
        conjur.org/secret-file-format.group7: template
        conjur.org/secret-file-path.group7: group7.template
        # For Group 8, we fetch all secrets using "*" in the YAML list format but with
        # base64 encoding. This should decode any base64 encoded secrets.
        conjur.org/conjur-secrets.group8: |
          - "*": "*"
            content-type: base64
        conjur.org/secret-file-format.group8: yaml
        # If using Jaeger for tracing, uncomment the following line
        # conjur.org/jaeger-collector-url: http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces
    spec:
      containers:
      - image: debian
        name: test-app
        command: ["sleep"]
        args: ["infinity"]
        volumeMounts:
          - mountPath: /opt/secrets/conjur
            name: conjur-secrets
            readOnly: true
      initContainers:
      - image: 'secrets-provider-for-k8s:latest'
        imagePullPolicy: Never
        name: cyberark-secrets-provider-for-k8s
        volumeMounts:
          - mountPath: /conjur/secrets
            name: conjur-secrets
          - mountPath: /conjur/podinfo
            name: podinfo
        env:
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name

          - name: MY_POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: CONJUR_APPLIANCE_URL
            value: ${CONJUR_APPLIANCE_URL}

          - name: CONJUR_AUTHN_URL
            value: ${CONJUR_AUTHN_URL}

          - name: CONJUR_ACCOUNT
            value: ${CONJUR_ACCOUNT}

          - name: CONJUR_SSL_CERTIFICATE
            valueFrom:
              configMapKeyRef:
                name: conjur-master-ca-env
                key: ssl-certificate

      imagePullSecrets:
        - name: dockerpullsecret
      volumes:
      - emptyDir:
          medium: Memory
        name: conjur-secrets
      - downwardAPI:
          defaultMode: 420
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.annotations
            path: annotations
        name: podinfo
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: conjur-master-ca-env
  labels:
    app: test-env
data:
  ssl-certificate: |
$(echo "${CONJUR_SSL_CERTIFICATE}" | while read line; do printf "%20s%s\n" "" "$line"; done)
EOL