-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathsecret-writer.yml
44 lines (42 loc) · 1.16 KB
/
secret-writer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
apiVersion: v1
kind: ConfigMap
metadata:
name: secrets-writer-configmap
data:
entrypoint.sh: |-
#!/bin/bash
yum install -y openssh
export VAULT_TOKEN=$(curl -sk -XPOST -d "{\"jwt\": \"$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\", \"role\": \"secret-writer-role\"}" ${VAULT_ADDR}/v1/auth/kubernetes/login | jq -r '.auth.client_token')
ssh-keygen -t ed25519 -b 521 -C "philporada@gmail.com" -N"''" -f /root/test_key
vault kv put kv/ct_key key="$(cat /root/test_key | base64)"
rm -f test_key
---
apiVersion: v1
kind: Pod
metadata:
name: secrets-writer-deployment
labels:
app: secrets-writer
spec:
serviceAccount: phil-secret-writer
volumes:
- name: configmap-writer-volume
configMap:
defaultMode: 0700
name: secrets-writer-configmap
restartPolicy: Never
containers:
- name: writer
image: pgporada/vault
command:
- /bin/entrypoint.sh
volumeMounts:
- name: configmap-writer-volume
mountPath: /bin/entrypoint.sh
readOnly: true
subPath: entrypoint.sh
env:
- name: VAULT_ADDR
value: "http://192.168.1.142:8200"
...