Skip to content
This repository has been archived by the owner on Apr 1, 2020. It is now read-only.
/ mutating-webhook-vault-agent Public archive

Mutating Admission Controller - Vault Agent Sidecar Injection

License

Apache-2.0 license
8 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

openlab-red/mutating-webhook-vault-agent

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

122 Commits

build

build

 
 

cmd

cmd

 
 

internal

internal

 
 

pkg/kube

pkg/kube

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

Mutating Webhook Vault Agent

DEPRECATED

In favour of Vault Agent Injector

More info how to use with OpenShift: https://github.com/openlab-red/hashicorp-vault-for-openshift

Build Vault Agent Webhook container

    oc project hashicorp

    oc apply -f build/webhook-build.yaml

    oc start-build vault-agent-webhook --follow

Deploy Vault Agent WebHook

  1. Create the sidecar vault agent configuration

    oc apply -f build/sidecar-configmap.yaml

  2. Process Mutating WebHook Template.

    The template is going to create the following resources:

    • vault-agent-webhook-psp PodSecurityPolicy
    • vault-agent-webhook-clusterrole ClusterRole
    • vault-agent-webhook ServiceAccount
    • vault-agent-webhook-rolebinding ClusterRoleBinding
    • vault-agent-webhook Service
    • vault-agent-webhook DeploymentConfig
    • vault-agent-webhook MutatingWebhookConfiguration

    2.1 Get service-ca.crt from the configmap ca-bundle.

    oc extract configmap/vault-agent-webhook-cabundle --confirm
export CA_BUNDLE=$(cat service-ca.crt | base64 | tr -d '\n')

    2.2 Process the webhook-template

    oc process -f build/webhook-template.yaml -p CA_BUNDLE=${CA_BUNDLE} | oc apply -f -
    PARAMETER DEFAULT DESCRIPTION
    CA_BUNDLE CA used by kubernetes to trust the webhook
    VAULT_NAMESPACE hashicorp Hashicorp Vault Namespac
    GIN_MODE release Http server startup mode gin-gonic
    LOG_LEVEL INFO Log level from logrus

Verify Sidecar Injection

  1. Label the target project where you want the webhook to inject the vault agent sidecar container.

    oc label namespace app sidecar.agent.vaultproject.io/webhook=enabled

  2. Add the sidecar.agent.vaultproject.io/inject annotation with value true to the pod template spec to enable injection.

    oc patch dc/thorntail-example -p '{
                                 "spec": {
                                   "template": {
                                     "metadata": {
                                       "annotations": {
                                         "sidecar.agent.vaultproject.io/inject": "true",
                                         "sidecar.agent.vaultproject.io/secret": "secret/example",
                                         "sidecar.agent.vaultproject.io/filename": "application.yaml",
                                         "sidecar.agent.vaultproject.io/role": "example"
                                       }
                                     }
                                   }
                                 }
                               }'

  3. The vault agent webhook will:

    • Create or Update the vault agent configmap
    • Inject Vault agent sidecar container
    • Inject Vault secret fetcher sidecar container
    • Mount Vault volume to the app container

References

About

Mutating Admission Controller - Vault Agent Sidecar Injection

Topics

kubernetes openshift secrets admission-controllers vault-agent vault-agent-webhook mutating-webhook

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

8 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages