forked from Talend/vault-sidecar-injector
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapp-dep-6-secrets-proxy.yaml
62 lines (59 loc) · 2.37 KB
/
app-dep-6-secrets-proxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
apiVersion: apps/v1
kind: Deployment
metadata:
name: app6
namespace: default
spec:
replicas: 1
selector:
matchLabels:
com.ovai.application: test
com.ovai.service: test-app-svc
template:
metadata:
annotations:
ovai.asaintsever.org/inject: "true"
ovai.asaintsever.org/mode: "secrets,proxy" # Enable both 'secrets' and 'proxy' modes
labels:
com.ovai.application: test
com.ovai.service: test-app-svc
spec:
serviceAccountName: default
containers:
- name: app6-container
image: everpeace/curl-jq
command:
- "sh"
- "-c"
- |
set -e
while true; do
echo "Wait for secrets file ..."
if [ -f "/opt/ovai/secrets/secrets.properties" ]; then
echo "Secrets available"
break
fi
sleep 2
done
while true;do
echo "My secrets are: $(cat /opt/ovai/secrets/secrets.properties)"
echo
echo "Now using Vault Agent as a proxy to leverage Encryption as a Service feature (will encrypt and decrypt our secrets here)"
echo "Advantage: you do not need to deal with any Vault tokens and you just have to send requests to the local Vault Agent sidecar (available at 127.0.0.1) that will then forward everything to Vault server."
echo
plaintext=$(cat /opt/ovai/secrets/secrets.properties | grep SECRET1)
echo "Data that is going to be ciphered and deciphered: $plaintext"
echo
b64Plaintext=$(echo "$plaintext" | base64)
ciphertext=$(curl -s -X POST --data "{\"plaintext\": \"$b64Plaintext\"}" http://127.0.0.1:8200/v1/transit/encrypt/test-key | jq --raw-output .data.ciphertext)
echo "Ciphertext"
echo "=========="
echo "$ciphertext"
echo
cleartext=$(curl -s -X POST --data "{\"ciphertext\": \"$ciphertext\"}" http://127.0.0.1:8200/v1/transit/decrypt/test-key | jq --raw-output .data.plaintext)
echo "Cleartext"
echo "=========="
echo "$cleartext" | base64 -d
echo
sleep 5
done