Inject secret in demo-app using secrets store csi driver

camptocamp · Oct 5, 2020 · b659251 · b659251
1 parent c366b48
commit b659251
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 3 deletions.
diff --git a/argocd/demo-app/templates/deployment.yaml b/argocd/demo-app/templates/deployment.yaml
@@ -33,6 +33,12 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: FOO
+              valueFrom:
+                secretKeyRef:
+                  name: demo-app-secrets-store-csi-secret
+                  key: foo
           ports:
             - name: http
               containerPort: 8080
@@ -47,6 +53,17 @@ spec:
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: secrets-store-inline
+              mountPath: "/mnt/secrets-store"
+              readOnly: true
+      volumes:
+        - name: secrets-store-inline
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "vault-demo-app"
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/argocd/demo-app/templates/secretproviderclass.yaml b/argocd/demo-app/templates/secretproviderclass.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: vault-demo-app
+spec:
+  provider: vault
+  parameters:
+    roleName: "demo-app"
+    vaultAddress: "http://vault-internal.vault.svc:8200"
+    vaultSkipTLSVerify: "true"
+    objects:  |
+      array:
+        - |
+          objectPath: "/demo-app"
+          objectName: "foo"
+          objectVersion: ""
+  secretObjects:
+    - data:
+        - key: foo
+          objectName: demo-app
+      secretName: demo-app-secrets-store-csi-secret
+      type: Opaque
diff --git a/docs/modules/ROOT/pages/access_vault_ui.adoc b/docs/modules/ROOT/pages/access_vault_ui.adoc
@@ -17,3 +17,9 @@ Use 'kubectl describe pod/demo-app-6f7cf8ddbf-vq7vg -n demo-app' to see all of t
 data: map[foo:bar pizza:cheese]
 metadata: map[created_time:2020-10-05T15:04:47.061885873Z deletion_time: destroyed:false version:1]
 ```
+
+==== Inject a secret from Vault using secrets store CSI driver
+
+```shell
+$ kubectl -n demo-app exec -ti $(kubectl -n demo-app get pods --selector 'app.kubernetes.io/name=demo-app' --output=name|head -n1) -- cat /mnt/secrets-store/demo-app
+```
diff --git a/vault/main.tf b/vault/main.tf
@@ -49,6 +49,14 @@ resource "vault_policy" "demo_app" {
 
   policy = <<EOT
 path "secret/data/demo-app" {
+  capabilities = ["read", "list"]
+}
+
+path "sys/renew/*" {
+  capabilities = ["update"]
+}
+
+path "sys/mounts" {
   capabilities = ["read"]
 }
 EOT
@@ -57,8 +65,8 @@ EOT
 resource "vault_kubernetes_auth_backend_role" "demo_app" {
   backend                          = vault_auth_backend.kubernetes.path
   role_name                        = "demo-app"
-  bound_service_account_names      = ["demo-app"]
-  bound_service_account_namespaces = ["demo-app"]
+  bound_service_account_names      = ["demo-app", "secrets-store-csi-driver"]
+  bound_service_account_namespaces = ["demo-app", "secrets-store-csi-driver"]
   token_ttl                        = 3600
-  token_policies                   = [vault_policy.demo_app.name]
+  token_policies                   = ["default", vault_policy.demo_app.name]
 }