Last active
December 18, 2022 08:25
-
-
Save itsmunim/b27e0ac65eb4f5659e554a83d9695b12 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: my-app | |
| spec: | |
| template: | |
| spec: | |
| # All the volumes we will need | |
| volumes: | |
| # Secrethub service account that will be mounted by kubernetes from specified secret name | |
| - name: secrethub-sa-volume | |
| secret: | |
| secretName: secrethub-service-account | |
| # This is the configmap that contains non-interpolated secrets | |
| - name: non-interpolated-secrets | |
| configMap: | |
| name: app-secrets | |
| # The shared volume, where the interpolated secret file will be dumped - for application to consume | |
| - name: shared-data-volume | |
| hostPath: | |
| path: /mnt/prep/app-creds | |
| type: DirectoryOrCreate | |
| # The init container config, which is basically the script, that will generate the secret file | |
| - name: init-container-script | |
| configMap: | |
| defaultMode: 0700 | |
| name: init-container-script | |
| # This init-container will fetch secrets from secrethub, and generate the expected file in expected location | |
| initContainers: | |
| - name: configure-secrets | |
| image: alpine:3.14 | |
| securityContext: | |
| privileged: true | |
| command: | |
| - /bin/init.sh | |
| volumeMounts: | |
| # The secrethub service account that will be required by secrethub cli | |
| - name: secrethub-sa-volume | |
| mountPath: /bin/.secrethub-credential | |
| readOnly: true | |
| subPath: .secrethub-credential | |
| # Where this container will dump the final file with secrets in it | |
| - name: shared-data-volume | |
| mountPath: /data | |
| # The init container script which does the main job | |
| - name: init-container-script | |
| mountPath: /bin/init.sh | |
| readOnly: true | |
| subPath: init.sh | |
| # The non-interpolated secrets content from configmap | |
| - name: non-interpolated-secrets | |
| mountPath: /bin/secrets.env | |
| readOnly: true | |
| subPath: secrets.env | |
| # The main/application container | |
| containers: | |
| - name: my-app | |
| # This is where the interpolated secret file is ready to consume | |
| volumeMounts: | |
| - name: shared-data-volume | |
| mountPath: /data | |
| env: | |
| # Your application code can access this folder and get the secret file in runtime to use the values | |
| - name: SECRET_FILE_DIR | |
| value: /data |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment