Exmaple k8s Secret Script

kube-update-secret.sh

#!/bin/sh
#Simple script to demonstrate how to read a key=value namespace from vault and generate a Kubernete secret
#Requires Vault server and Vault CLI (http API will also work with modifications)

#Setup app name and namespace that will match what's in the app deployment manifest
# example:
# envFrom:
# - secretRef:
#     name: myappname

export APP_NAME="myappname"
export K8S_NAMESPACE="myappnamespace"
export ENVIRONMENT="development"

#Setup Vault
export VAULT_TOKEN="yourtokenhere"
export VAULT_ADDR="youraddresshere"

#Create .secret Secret file to apply to kubernetes cluster
cat << EOF > .secret
apiVersion: v1
kind: Secret
metadata:
  name: ${APP_NAME}
  namespace: ${K8S_NAMESPACE}
data:
EOF

#Loop through application namespace in vault and append key=value pairs to .secret
#This assumes the format of Vault is simple key=value pairs
# example:
# vault read -field=value secret/${APP_NAME}/${ENVIRONMENT}/REDIS_URL
# redis://redis:6379

echo "Reading config from: /secret/applications/${APP_NAME}/${ENVIRONMENT}"
for KEY in `vault list --format=json /secret/applications/${APP_NAME}/${ENVIRONMENT} | jq -r '.[]'`; do
    VALUE=`vault read -field=value /secret/applications/${APP_NAME}/${ENVIRONMENT} | base64 -w0`; echo "  ${KEY}: ${VALUE}" >> .secret
done

#Update secret in kuberentes
echo "Updating config for ${APP_NAME}"
kubectl apply -f .secret --validate=false --force=true

#Remove secret file
rm -fr .secret