vault-sidecar-injector/samples/app-job-3-secrets-proxy.yaml at master · Talend/vault-sidecar-injector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
apiVersion: v1
kind: ServiceAccount
metadata:
  name: job-sa
  namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: job-pod-status
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: job-pod-status
subjects:
  - kind: ServiceAccount
    name: job-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: job-pod-status
---
apiVersion: batch/v1
kind: Job
metadata:
  name: app3-job
  namespace: default
spec:
  backoffLimit: 1
  template:
    metadata:
      annotations:
        sidecar.vault.talend.org/inject: "true"
        sidecar.vault.talend.org/mode: "secrets,proxy,job"  # Enable 'secrets', 'proxy' and 'job' modes
        sidecar.vault.talend.org/proxy-port: "9999"     # Override default proxy port value (8200)
        # Vault Sidecar Injector receive the pod spec: don't know whether it is a job or a deployment.
        # Annotation below is deprecated, use 'sidecar.vault.talend.org/mode' instead.
        #sidecar.vault.talend.org/workload: "job"
      labels:
        com.talend.application: test
        com.talend.service: test-app-svc
    spec:
      restartPolicy: Never
      # custom serviceAccountName with role allowing to perform GET on pods (needed to poll for job's pod status)
      serviceAccountName: job-sa
      containers:
        - name: app3-job-container
          image: everpeace/curl-jq
          command:
            - "sh"
            - "-c"
            - |
              set -e
              while true; do
                echo "Wait for secrets file before running job..."
                if [ -f "/opt/talend/secrets/secrets.properties" ]; then
                  echo "Secrets available"
                  break
                fi
                sleep 2
              done
              echo "Job started"
              echo "Now using Vault Agent as a proxy to leverage Encryption as a Service feature (will encrypt and decrypt our secrets here)"
              echo "Advantage: you do not need to deal with any Vault tokens and you just have to send requests to the local Vault Agent sidecar (available at 127.0.0.1) that will then forward everything to Vault server."
              echo

              plaintext=$(cat /opt/talend/secrets/secrets.properties | grep SECRET1)
              echo "Data that is going to be ciphered and deciphered: $plaintext"
              echo
              b64Plaintext=$(echo "$plaintext" | base64)

              ciphertext=$(curl -s -X POST --data "{\"plaintext\": \"$b64Plaintext\"}" http://127.0.0.1:9999/v1/transit/encrypt/test-key | jq --raw-output .data.ciphertext)
              echo "Ciphertext"
              echo "=========="
              echo "$ciphertext"
              echo

              cleartext=$(curl -s -X POST --data "{\"ciphertext\": \"$ciphertext\"}" http://127.0.0.1:9999/v1/transit/decrypt/test-key | jq --raw-output .data.plaintext)
              echo "Cleartext"
              echo "=========="
              echo "$cleartext" | base64 -d
              echo
              echo "Job stopped"