navicore/KeyVaultConfig
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
a k8s initContainer that writes a configmap to be used by a container in the same pod
33 commits 2 branches 0 tags 70 KiB
  • Scala 98.2%
  • Dockerfile 1.8%
Find a file
Exact
Ed Sweeney 67017ab2ca remove debug
2018-04-14 18:22:07 -07:00
examples/k8s kubernetes secret 2018-04-14 10:12:29 -07:00
project init 2018-04-11 14:33:35 -07:00
src remove debug 2018-04-14 18:22:07 -07:00
.gitignore initContainer works 2018-04-14 06:44:15 -07:00
.travis.yml travis 2018-04-12 09:59:41 -07:00
build.sbt stubbed out sidecar support 2018-04-13 20:52:59 -07:00
Dockerfile refactor 2018-04-12 09:48:26 -07:00
LICENSE Create LICENSE 2018-04-12 10:12:51 -07:00
README.md kubernetes secret 2018-04-14 10:17:40 -07:00

README.md

Build Status

Azure Key Vault Secrets Init Container and Sidecar Container

An 'init container' to override Lightbend Config settings with values stored as secrets in Azure KeyVault.

The initContainer will look up secrets and store them in a file available to the application running in the same pod.

Can also be configured as a sidecar if you don't want to persist secrets.

Configure the vault auth with environment vars (but with k8s configmaps and secrets) as:

env:
- name: AZURE_CLIENT_ID
  value: "SET ME"
- name: AZURE_CLIENT_SECRET
  value: "SET ME"
- name: AZURE_TENANT_ID
  value: "SET ME"
- name: KEYVAULT_ID
  value: "/subscriptions/SETME/resourceGroups/SETME/providers/Microsoft.KeyVault/vaults/SETME"

Configure the config override entries with SECRETS_SPEC where each pair is lightbendConfigPath:secretName:

env:
- name: SECRETS_SPEC
  value: "akka.contrib.persistence.mongodb.mongo.mongouri:PROD_DB_MONGOURI"

Configure the location of the file via:

env:
- name: SECRETS_FILE_LOCATION
  value: "/opt/config/overrides.yaml"

To enable sidecar a container http://localhost:8998 http server, configure via:

env:
- name: IS_SIDECAR
  value: "true"

Using the sidecar, no secrets are persisted and only containers in the same pod can access the localhost port - no networking and thus no https.

NOTE: The sidecar may initialize too slowly for your app and your app will be restarted by Kubernetes until it successfully connects to the sidecar.

App Changes

Change your application running in the container to support the presence of an override file:

  val conf: Config = sys.env
    .get("CONFIG_OVERRIDES_URL")
    .fold(ConfigFactory.load)(u =>
      ConfigFactory.parseURL(new URL(u)).withFallback(ConfigFactory.load))
  //
  // use 'conf' to look up values as normal
  // ...
  // ...
  // ...

then in your kubernetes yaml tell your app where to find the overrides.

for initContainer:

        env:
        - name: CONFIG_OVERRIDES_URL
          value: "file:///opt/config/overrides.yaml"

for sidecar container:

        env:
        - name: CONFIG_OVERRIDES_URL
          value: "http://localhost:8998/config"

Examples

See examples/k8s dir for a working examples.