forked from Talend/vault-sidecar-injector
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapp-job-7-secrets_static-proxy.yaml
84 lines (80 loc) · 2.94 KB
/
app-job-7-secrets_static-proxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
apiVersion: v1
kind: ServiceAccount
metadata:
name: job-sa
namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: job-pod-status
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: job-pod-status
subjects:
- kind: ServiceAccount
name: job-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: job-pod-status
---
apiVersion: batch/v1
kind: Job
metadata:
name: app7-job
namespace: default
spec:
backoffLimit: 1
template:
metadata:
annotations:
ovai.asaintsever.org/inject: "true"
ovai.asaintsever.org/secrets-type: "static" # static secrets
ovai.asaintsever.org/mode: "secrets,proxy,job" # Enable 'secrets', 'proxy' and 'job' modes
# Open Vault Agent Injector receive the pod spec: don't know whether it is a job or a deployment.
labels:
com.ovai.application: test
com.ovai.service: test-app-svc
spec:
restartPolicy: Never
# custom serviceAccountName with role allowing to perform GET on pods (needed to poll for job's pod status)
serviceAccountName: job-sa
containers:
- name: app7-job-container
image: everpeace/curl-jq
command:
- "sh"
- "-c"
- |
set -e
echo "Job started"
echo "Now using Vault Agent as a proxy to leverage Encryption as a Service feature (will encrypt and decrypt our secrets here)"
echo "Advantage: you do not need to deal with any Vault tokens and you just have to send requests to the local Vault Agent sidecar (available at 127.0.0.1) that will then forward everything to Vault server."
echo
plaintext=$(cat /opt/ovai/secrets/secrets.properties | grep SECRET1)
echo "Data that is going to be ciphered and deciphered: $plaintext"
echo
b64Plaintext=$(echo "$plaintext" | base64)
isVaultReady=$(curl -s -X GET http://127.0.0.1:8200/v1/sys/health | jq --raw-output .initialized)
while [ "$isVaultReady" != "true" ];do
sleep 5
isVaultReady=$(curl -s -X GET http://127.0.0.1:8200/v1/sys/health | jq --raw-output .initialized)
done
ciphertext=$(curl -s -X POST --data "{\"plaintext\": \"$b64Plaintext\"}" http://127.0.0.1:8200/v1/transit/encrypt/test-key | jq --raw-output .data.ciphertext)
echo "Ciphertext"
echo "=========="
echo "$ciphertext"
echo
cleartext=$(curl -s -X POST --data "{\"ciphertext\": \"$ciphertext\"}" http://127.0.0.1:8200/v1/transit/decrypt/test-key | jq --raw-output .data.plaintext)
echo "Cleartext"
echo "=========="
echo "$cleartext" | base64 -d
echo
echo "Job stopped"