helm/secrets-provider/templates/secrets-provider.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Values.secretsProvider.jobName | default .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- with .Values.labels }}
labels:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
template:
metadata:
{{- with .Values.labels }}
labels:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.annotations }}
annotations:
{{ toYaml . | indent 8 }}
{{- end }}
spec:
serviceAccountName: {{ .Values.rbac.serviceAccount.name }}
containers:
- image: {{ .Values.secretsProvider.image }}:{{ .Values.secretsProvider.tag }}
imagePullPolicy: {{ .Values.secretsProvider.imagePullPolicy }}
{{- if .Values.environment.conjur.authnJWT.projectToken}}
volumeMounts:
- name: jwt-token
mountPath: /var/run/secrets/tokens
{{- end }}
name: {{ .Values.secretsProvider.name }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
env:
{{- if .Values.environment.conjur.authnJWT.projectToken}}
- name: JWT_TOKEN_PATH
value: /var/run/secrets/tokens/{{ .Values.environment.conjur.authnJWT.projectedFilename }}
{{- end }}
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if not .Values.environment.conjur.conjurConnConfigMap }}
- name: CONJUR_APPLIANCE_URL
value: {{ .Values.environment.conjur.applianceUrl | quote }}
- name: CONJUR_AUTHN_URL
value: {{ .Values.environment.conjur.authnUrl | quote }}
- name: CONJUR_ACCOUNT
value: {{ .Values.environment.conjur.account | quote }}
- name: CONJUR_SSL_CERTIFICATE
valueFrom:
configMapKeyRef:
name: {{ .Values.environment.conjur.sslCertificate.name | quote }}
key: ssl-certificate
{{- end }}
- name: CONJUR_AUTHN_LOGIN
value: {{ .Values.environment.conjur.authnLogin | quote }}
- name: SECRETS_DESTINATION
value: k8s_secrets
# Enables the support of multiple Kubernetes applications
- name: CONTAINER_MODE
value: application
- name: K8S_SECRETS
value: {{ .Values.environment.k8sSecrets | join "," }}
{{- if .Values.environment.conjur.retryIntervalSec }}
- name: RETRY_INTERVAL_SEC
value: {{ .Values.environment.conjur.retryIntervalSec | quote }}
{{- end }}
{{- if kindIs "float64" .Values.environment.conjur.retryCountLimit }}
- name: RETRY_COUNT_LIMIT
value: {{ .Values.environment.conjur.retryCountLimit | quote }}
{{- end }}
{{- if .Values.environment.logLevel }}
- name: LOG_LEVEL
value: {{ .Values.environment.logLevel | quote }}
{{- end }}
{{- if .Values.environment.conjur.conjurConnConfigMap }}
envFrom:
- configMapRef:
name: {{ .Values.environment.conjur.conjurConnConfigMap }}
{{- end }}
{{- if .Values.environment.conjur.authnJWT.projectToken}}
volumes:
- name: jwt-token
projected:
sources:
- serviceAccountToken:
path: {{ .Values.environment.conjur.authnJWT.projectedFilename }}
expirationSeconds: {{ .Values.environment.conjur.authnJWT.expiration }}
audience: {{ .Values.environment.conjur.authnJWT.audience }}
{{- end }}
{{- if .Values.secretsProvider.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.secretsProvider.imagePullSecret }}
{{- end }}
restartPolicy: Never
backoffLimit: 0