tylerjl/example-app.yaml

## example-app.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: logstash-secrets
data:
  logstash.secrets: |
    ELASTICSEARCH_USERNAME=elasticsearch/production#username
    ELASTICSEARCH_PASSWORD=elasticsearch/production#password
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: logstash-config
data:
  example.conf: |
    input {
      exec {
        command => "date"
        interval => 5
      }
    }

    output {
        elasticsearch {
            hosts    => ["https://elasticsearch.cluster.url:9200"]
            user     => "${ELASTICSEARCH_USERNAME}"
            password => "${ELASTICSEARCH_PASSWORD}"
            ssl      => true
        }
    }
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: logstash
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        pod.boostport.com/vault-approle: kubernetes-logstash
        pod.boostport.com/vault-init-container: get-vault-token
    spec:
      initContainers:
      - name: get-vault-token
        image: boostport/kubernetes-vault-init
        env:
        - name: VAULT_ROLE_ID
          value: "<TODO: insert role ID here>"
        volumeMounts:
        - name: vault-token
          mountPath: /var/run/secrets/boostport.com
      containers:
        - name: logstash
          image: private.docker.registry/logstash
          command:
            - "/bin/bash"
            - "-ec"
            - |
              token=$(jq -r '.clientToken' /var/run/secrets/boostport.com/vault-token)
              exec vaultenv \
                   --host $VAULT_ADDR \
                   --token $token \
                   --secrets-file /etc/secrets.d/logstash.secrets \
                   /usr/local/bin/docker-entrypoint
          env:
          - name: VAULT_ADDR
            value: "<TODO: Vault address here>"
          livenessProbe:
            httpGet:
              path: /
              port: 9600
            initialDelaySeconds: 60
          volumeMounts:
            - name: config-volume
              mountPath: /usr/share/logstash/pipeline
            - name: vaultenv-secrets
              mountPath: /etc/secrets.d
            - name: vault-token
              mountPath: /var/run/secrets/boostport.com
        - name: token-renewer
          image: private.docker.registry/token-renewer
          volumeMounts:
            - name: vault-token
              mountPath: /var/run/secrets/boostport.com
      volumes:
        - name: config-volume
          configMap:
            name: logstash-config
        - name: vaultenv-secrets
          configMap:
            name: logstash-secrets
        - name: vault-token
          emptyDir: {}
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: logstash-secrets
	data:
	logstash.secrets: \|
	ELASTICSEARCH_USERNAME=elasticsearch/production#username
	ELASTICSEARCH_PASSWORD=elasticsearch/production#password
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: logstash-config
	data:
	example.conf: \|
	input {
	exec {
	command => "date"
	interval => 5
	}
	}

	output {
	elasticsearch {
	hosts => ["https://elasticsearch.cluster.url:9200"]
	user => "${ELASTICSEARCH_USERNAME}"
	password => "${ELASTICSEARCH_PASSWORD}"
	ssl => true
	}
	}
	---
	apiVersion: apps/v1beta1
	kind: Deployment
	metadata:
	name: logstash
	spec:
	replicas: 1
	template:
	metadata:
	annotations:
	pod.boostport.com/vault-approle: kubernetes-logstash
	pod.boostport.com/vault-init-container: get-vault-token
	spec:
	initContainers:
	- name: get-vault-token
	image: boostport/kubernetes-vault-init
	env:
	- name: VAULT_ROLE_ID
	value: "<TODO: insert role ID here>"
	volumeMounts:
	- name: vault-token
	mountPath: /var/run/secrets/boostport.com
	containers:
	- name: logstash
	image: private.docker.registry/logstash
	command:
	- "/bin/bash"
	- "-ec"
	- \|
	token=$(jq -r '.clientToken' /var/run/secrets/boostport.com/vault-token)
	exec vaultenv \
	--host $VAULT_ADDR \
	--token $token \
	--secrets-file /etc/secrets.d/logstash.secrets \
	/usr/local/bin/docker-entrypoint
	env:
	- name: VAULT_ADDR
	value: "<TODO: Vault address here>"
	livenessProbe:
	httpGet:
	path: /
	port: 9600
	initialDelaySeconds: 60
	volumeMounts:
	- name: config-volume
	mountPath: /usr/share/logstash/pipeline
	- name: vaultenv-secrets
	mountPath: /etc/secrets.d
	- name: vault-token
	mountPath: /var/run/secrets/boostport.com
	- name: token-renewer
	image: private.docker.registry/token-renewer
	volumeMounts:
	- name: vault-token
	mountPath: /var/run/secrets/boostport.com
	volumes:
	- name: config-volume
	configMap:
	name: logstash-config
	- name: vaultenv-secrets
	configMap:
	name: logstash-secrets
	- name: vault-token
	emptyDir: {}