From b659251ff6a52379a153dbcf219d09ffd522f131 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Can=C3=A9vet?= Date: Mon, 5 Oct 2020 17:39:14 +0200 Subject: [PATCH] Inject secret in demo-app using secrets store csi driver --- argocd/demo-app/templates/deployment.yaml | 17 ++++++++++++++ .../templates/secretproviderclass.yaml | 23 +++++++++++++++++++ docs/modules/ROOT/pages/access_vault_ui.adoc | 6 +++++ vault/main.tf | 14 ++++++++--- 4 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 argocd/demo-app/templates/secretproviderclass.yaml diff --git a/argocd/demo-app/templates/deployment.yaml b/argocd/demo-app/templates/deployment.yaml index e300f2b49d..9a8eefde50 100644 --- a/argocd/demo-app/templates/deployment.yaml +++ b/argocd/demo-app/templates/deployment.yaml @@ -33,6 +33,12 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: FOO + valueFrom: + secretKeyRef: + name: demo-app-secrets-store-csi-secret + key: foo ports: - name: http containerPort: 8080 @@ -47,6 +53,17 @@ spec: port: http resources: {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true + volumes: + - name: secrets-store-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "vault-demo-app" {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/argocd/demo-app/templates/secretproviderclass.yaml b/argocd/demo-app/templates/secretproviderclass.yaml new file mode 100644 index 0000000000..afe73ec138 --- /dev/null +++ b/argocd/demo-app/templates/secretproviderclass.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: vault-demo-app +spec: + provider: vault + parameters: + roleName: "demo-app" + vaultAddress: "http://vault-internal.vault.svc:8200" + vaultSkipTLSVerify: "true" + objects: | + array: + - | + objectPath: "/demo-app" + objectName: "foo" + objectVersion: "" + secretObjects: + - data: + - key: foo + objectName: demo-app + secretName: demo-app-secrets-store-csi-secret + type: Opaque diff --git a/docs/modules/ROOT/pages/access_vault_ui.adoc b/docs/modules/ROOT/pages/access_vault_ui.adoc index 0d5bfa8c8a..f1be231a31 100644 --- a/docs/modules/ROOT/pages/access_vault_ui.adoc +++ b/docs/modules/ROOT/pages/access_vault_ui.adoc @@ -17,3 +17,9 @@ Use 'kubectl describe pod/demo-app-6f7cf8ddbf-vq7vg -n demo-app' to see all of t data: map[foo:bar pizza:cheese] metadata: map[created_time:2020-10-05T15:04:47.061885873Z deletion_time: destroyed:false version:1] ``` + +==== Inject a secret from Vault using secrets store CSI driver + +```shell +$ kubectl -n demo-app exec -ti $(kubectl -n demo-app get pods --selector 'app.kubernetes.io/name=demo-app' --output=name|head -n1) -- cat /mnt/secrets-store/demo-app +``` diff --git a/vault/main.tf b/vault/main.tf index 50cd4eb3d3..7acfc3f4dc 100644 --- a/vault/main.tf +++ b/vault/main.tf @@ -49,6 +49,14 @@ resource "vault_policy" "demo_app" { policy = <