Kubernetes plugin to synchronize secrets from vault as kubernetes secrets.
The vault_sync plugin is a k8s plugin to synchronize secrets from vault as kubernetes secrets.
It works in combination with the following projects:
It uses the following namespace annotations to create a batch job, that synchronizes secrets:
sync.vault.postfinance.ch/sync-image: the synchronizer image name (default: postfinance/vault-kubernetes-synchronizer:latest)sync.vault.postfinance.ch/auth-image: the authorizer image name (default: postfinance/vault-kubernetes-authenticator:latest)sync.vault.postfinance.ch/mount-path: the name of the mount where the kubernetes auth method is enabled (default: kubernetes)sync.vault.postfinance.ch/secrets-path: the secrets path in vault that should be syncronized to kubernetssync.vault.postfinance.ch/role: the name of the vault role to use for authenticationsync.vault.postfinance.ch/addr: the vault server’s URLsync.vault.postfinance.ch/trust-secret: kubernetes secret containing a CA certificate ‘truststore.pem’ to connect to vaultTo sync all secrets run:
$ kubectl vault_synccreating sync batch job to synchronize 'secret/team_linux/k8s/k8s-np/appl-zoekt-e1/' vault key
This creates a batch job that synchronizes the secrets. You can view the job with:
kubectl get job -l job=vault-syncNAME COMPLETIONS DURATION AGEvault-sync-20190412-101357 1/1 9s 103s
To check the logs run:
$ kubectl logs $(kubectl get pods -l job-name -o jsonpath='{.items[0].metadata.name}')2019/04/12 08:14:12 read secret/team_linux/k8s/k8s-np/appl-zoekt-e1/gitlab from vault2019/04/12 08:14:12 update secret gitlab from vault secret secret/team_linux/k8s/k8s-np/appl-zoekt-e1/gitlab2019/04/12 08:14:12 secrets successfully synchronized