-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathsecrets-provider-p2f-rotation.sh.yml
executable file
·146 lines (139 loc) · 4.47 KB
/
secrets-provider-p2f-rotation.sh.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/bin/bash
set -euo pipefail
CONJUR_AUTHN_LOGIN=${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}
cat << EOL
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-env
name: test-env
spec:
replicas: 1
selector:
matchLabels:
app: test-env
template:
metadata:
labels:
app: test-env
annotations:
conjur.org/authn-identity: '$CONJUR_AUTHN_LOGIN'
conjur.org/container-mode: "sidecar"
conjur.org/secrets-refresh-enabled: "true"
conjur.org/secrets-refresh-interval: "10s"
conjur.org/secrets-destination: file
conjur.org/log-level: "debug"
conjur.org/retry-count-limit: "6"
conjur.org/retry-interval-sec: "2"
conjur.org/conjur-secrets.group1: |
- url: secrets/url
- username: secrets/username
- password: secrets/password
- test: secrets/test_secret
- encoded: secrets/encoded
content-type: base64
conjur.org/conjur-secrets-policy-path.group2: secrets
conjur.org/conjur-secrets.group2: |
- url: url
- username: username
- password: password
- test: test_secret
- still_encoded: encoded
content-type: text
conjur.org/secret-file-format.group2: json
conjur.org/conjur-secrets-policy-path.group3: secrets
conjur.org/secret-file-path.group3: some-dotenv.env
conjur.org/conjur-secrets.group3: |
- url: url
- username: username
- password: password
- test: test_secret
conjur.org/secret-file-format.group3: dotenv
conjur.org/conjur-secrets.group4: |
- url: secrets/url
- username: secrets/username
- password: secrets/password
- test: secrets/test_secret
conjur.org/secret-file-format.group4: bash
conjur.org/secret-file-path.group5: group5.template
conjur.org/conjur-secrets.group5: |
- username: secrets/username
- password: secrets/password
- test: secrets/test_secret
conjur.org/secret-file-template.group5: |
username | {{ secret "username" }}
password | {{ secret "password" }}
test | {{ secret "test" }}
conjur.org/secret-file-format.group5: template
conjur.org/conjur-secrets.group6: "*"
conjur.org/secret-file-format.group6: yaml
conjur.org/remove-deleted-secrets-enabled: "true"
# If using Jaeger for tracing, uncomment the following line
# conjur.org/jaeger-collector-url: http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces
spec:
containers:
- image: debian
name: test-app
command: ["sleep"]
args: ["infinity"]
volumeMounts:
- mountPath: /opt/secrets/conjur
name: conjur-secrets
readOnly: true
- image: 'secrets-provider-for-k8s:latest'
imagePullPolicy: Never
name: cyberark-secrets-provider-for-k8s
volumeMounts:
- mountPath: /conjur/secrets
name: conjur-secrets
- mountPath: /conjur/podinfo
name: podinfo
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONJUR_APPLIANCE_URL
value: ${CONJUR_APPLIANCE_URL}
- name: CONJUR_AUTHN_URL
value: ${CONJUR_AUTHN_URL}
- name: CONJUR_ACCOUNT
value: ${CONJUR_ACCOUNT}
- name: CONJUR_SSL_CERTIFICATE
valueFrom:
configMapKeyRef:
name: conjur-master-ca-env
key: ssl-certificate
imagePullSecrets:
- name: dockerpullsecret
volumes:
- emptyDir:
medium: Memory
name: conjur-secrets
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
name: podinfo
---
apiVersion: v1
kind: ConfigMap
metadata:
name: conjur-master-ca-env
labels:
app: test-env
data:
ssl-certificate: |
$(echo "${CONJUR_SSL_CERTIFICATE}" | while read line; do printf "%20s%s\n" "" "$line"; done)
EOL