Skip to content

Instantly share code, notes, and snippets.

@tylerjl
Created August 14, 2017 20:35
Show Gist options
  • Save tylerjl/4b348c403c4a2e37769edcf4016a6f66 to your computer and use it in GitHub Desktop.
Save tylerjl/4b348c403c4a2e37769edcf4016a6f66 to your computer and use it in GitHub Desktop.
Example kubernetes-vault with vaultenv config
apiVersion: v1
kind: ConfigMap
metadata:
name: logstash-secrets
data:
logstash.secrets: |
ELASTICSEARCH_USERNAME=elasticsearch/production#username
ELASTICSEARCH_PASSWORD=elasticsearch/production#password
---
apiVersion: v1
kind: ConfigMap
metadata:
name: logstash-config
data:
example.conf: |
input {
exec {
command => "date"
interval => 5
}
}
output {
elasticsearch {
hosts => ["https://elasticsearch.cluster.url:9200"]
user => "${ELASTICSEARCH_USERNAME}"
password => "${ELASTICSEARCH_PASSWORD}"
ssl => true
}
}
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: logstash
spec:
replicas: 1
template:
metadata:
annotations:
pod.boostport.com/vault-approle: kubernetes-logstash
pod.boostport.com/vault-init-container: get-vault-token
spec:
initContainers:
- name: get-vault-token
image: boostport/kubernetes-vault-init
env:
- name: VAULT_ROLE_ID
value: "<TODO: insert role ID here>"
volumeMounts:
- name: vault-token
mountPath: /var/run/secrets/boostport.com
containers:
- name: logstash
image: private.docker.registry/logstash
command:
- "/bin/bash"
- "-ec"
- |
token=$(jq -r '.clientToken' /var/run/secrets/boostport.com/vault-token)
exec vaultenv \
--host $VAULT_ADDR \
--token $token \
--secrets-file /etc/secrets.d/logstash.secrets \
/usr/local/bin/docker-entrypoint
env:
- name: VAULT_ADDR
value: "<TODO: Vault address here>"
livenessProbe:
httpGet:
path: /
port: 9600
initialDelaySeconds: 60
volumeMounts:
- name: config-volume
mountPath: /usr/share/logstash/pipeline
- name: vaultenv-secrets
mountPath: /etc/secrets.d
- name: vault-token
mountPath: /var/run/secrets/boostport.com
- name: token-renewer
image: private.docker.registry/token-renewer
volumeMounts:
- name: vault-token
mountPath: /var/run/secrets/boostport.com
volumes:
- name: config-volume
configMap:
name: logstash-config
- name: vaultenv-secrets
configMap:
name: logstash-secrets
- name: vault-token
emptyDir: {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment