Skip to content

Commit

Permalink
chore: ci
Browse files Browse the repository at this point in the history
  • Loading branch information
marcsauter committed Mar 14, 2023
1 parent 3178b1c commit 50c3760
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 196 deletions.
12 changes: 6 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ The usual environment variables for Vault will be used:

- SERVICE_ACCOUNT_TOKEN_PATH - the path on disk where the Kubernetes service account jtw token lives. This defaults to /var/run/secrets/kubernetes.io/serviceaccount/token.

- ALLOW_FAIL - the container will successfully terminate even if the authentication to Vault failed, no token will be written to VAULT_TOKEN_PATH. **This condition needs to be handeled in the succeeding container.** (default: "false")
- ALLOW_FAIL - the container will successfully terminate even if the authentication to Vault failed, no token will be written to VAULT_TOKEN_PATH. **This condition needs to be handled in the succeeding container.** (default: "false")

## Example

Expand Down Expand Up @@ -176,16 +176,16 @@ _vault-kubernetes-synchronizer_ will decode the secret from Vault before creatin

- SECRET_PREFIX - prefix for synchronized secrets (e.g. for SECRET_PREFIX="v3t_" Vault secret "first" will get secret "v3t_first" in k8s)

- SYNCHRONIZER_ANNOTATION - annotation used to track managed secrets (default value `vault-secret`). Can be very usefull if you need more than one `vault-synchronizer` init container in the same namespace.
- SYNCHRONIZER_ANNOTATION - annotation used to track managed secrets (default value `vault-secret`). Can be very useful if you need more than one `vault-synchronizer` init container in the same namespace.

- SYNCHRONIZER_LABELS - labels will be added to every synchronized secret. Multiple key-value pairs can be separated with a comma. For each key-value pair a key and the equal sign are mandatory. Example: `"k1=v1,k2=v2,k3=,k4"` k4 will be ignored because the equal sign is missing.

> set ALLOW_FAIL="true" for _vault-kubernetes-authenticator_
## Error handling

If Vault authentication fails in _vault-kubernetes-authenticator_ and ALLOW_FAIL="true" has been set for _vault-kubernetes-authenticator_ the failed authentication will be handeled as follows:
- all secrets in VAULT_SECRETS are available in the namespace (the content of the secrets will not be considered)- _vault-kubernetes-synchronizer_ issues a warning and terminates successfullly.
If Vault authentication fails in _vault-kubernetes-authenticator_ and ALLOW_FAIL="true" has been set for _vault-kubernetes-authenticator_ the failed authentication will be handled as follows:
- all secrets in VAULT_SECRETS are available in the namespace (the content of the secrets will not be considered)- _vault-kubernetes-synchronizer_ issues a warning and terminates successfully.
- any secret from VAULT_SECRETS is missing in the namespace _vault-secret-synchronizer_ fails.

## Example
Expand All @@ -210,7 +210,7 @@ green lantern
poison ivy
```

Configure the two secrets for synchronisation with the environment variable VAULT_SECRETS:
Configure the two secrets for synchronization with the environment variable VAULT_SECRETS:
```
$ vi deployment.yaml
...
Expand Down Expand Up @@ -372,7 +372,7 @@ vault-third Opaque 2 26m
Add labels for some secrets:
```
$ for i in alpha beta gamma; do printf "labels of secret %12s: %s\n" vault-$i $(k get secret vault-${i} -o=jsonpath="{.metadata['labels']}"); done
labels of secret vault-alpha: {"batman":"unkown","jocker":"jack_napier","superman":"unknown"}
labels of secret vault-alpha: {"batman":"unknown","jocker":"jack_napier","superman":"unknown"}
labels of secret vault-beta: {"batman":"bruce_wayne","joker":"jack_napier"}
labels of secret vault-gamma: {"superman":"kal-el"}
```
Expand Down
3 changes: 1 addition & 2 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/postfinance/vault-kubernetes

go 1.17
go 1.20

require (
github.com/postfinance/vaultk8s v0.1.1
Expand Down Expand Up @@ -66,7 +66,6 @@ require (
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
go.uber.org/atomic v1.9.0 // indirect
golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
golang.org/x/net v0.7.0 // indirect
Expand Down
Loading

0 comments on commit 50c3760

Please sign in to comment.