Skip to content
This repository has been archived by the owner on Feb 16, 2023. It is now read-only.

Use secret references in any containers spec, without including SecretHub in the image itself.

License

Notifications You must be signed in to change notification settings

secrethub/secrethub-kubernetes-mutating-webhook

Repository files navigation


1Password SecretHub has joined 1Password! Find out more on the SecretHub blog. 🎉


SecretHub Kubernetes Mutating Webhook

GoDoc CircleCI Go Report Card Version Discord

This mutating webhook allows you to use secret references (secrethub://path/to/secret) in any containers spec, without including SecretHub in the image itself:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
  annotations:
    secrethub.io/mutate: my-app
spec:
  containers:
    - name: my-app
      image: my-image
      env:
        - name: STRIPE_SECRET_KEY
          value: secrethub://acme/app/prod/stripe/secret_key
        - name: PGPASSWORD
          value: secrethub://acme/app/prod/pg/password

You can annotate your pod spec with secrethub.io/mutate which expects a comma separated list of the names of the containers to mutate.

When the annotation is found:

  • A volume which will hold the SecretHub CLI is created.
  • An init container which copies the SecretHub CLI into the volume is created.

And for every container that is listed in the secrethub.io/mutate annotation:

  • The volume is mounted to the container.
  • The command is prefixed with <path/to/volume>/secrethub run --.

The version of the SecretHub CLI Docker image to be used can optionally be configured with secrethub.io/version, e.g. secrethub.io/version: 0.39.0. If it is not set, the latest version is used. A list of available versions can be found here.

Attributions

This project is based on and heavily inspired by Berglas's Kubernetes Mutating Webhook.

Deploy the Webhook

The simplest method to deploy the webhook is as a serverless function:

We're also working on a way to deploy the webhook in the Kubernetes cluster itself.

About

Use secret references in any containers spec, without including SecretHub in the image itself.

Resources

License

Stars

Watchers

Forks

Packages

No packages published