-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-injector.sh
executable file
·105 lines (95 loc) · 2.3 KB
/
setup-injector.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/env bash
set -e
log(){
echo "---------------------------------------------------------------------------------------"
echo $1
echo "---------------------------------------------------------------------------------------"
}
log "Setup app that use Vault injector ..."
# Create ns for app
kubectl create namespace app || true
# Create service account for role
kubectl create serviceaccount webapp-auth -n app || true
# Add secret to service account vault-auth (from kubernetes 1.24 service account created without tokens)
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
namespace: app
name: webapp-auth
annotations:
kubernetes.io/service-account.name: "webapp-auth"
type: kubernetes.io/service-account-token
EOF
# Add deployment
cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
labels:
app: webapp
namespace: app
spec:
selector:
matchLabels:
app: webapp
replicas: 1
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "webapp"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/agent-inject-secret-config: secret/config
vault.hashicorp.com/agent-inject-template-config: |
{{- with secret "secret/config" -}}
{{ .Data.data | toJSON }}
{{- end }}
labels:
app: webapp
spec:
serviceAccountName: webapp-auth
automountServiceAccountToken: true
containers:
- name: webapp
image: ghcr.io/randsw/vault-injector-webapp
ports:
- containerPort: 8080
EOF
# Add service to access web app
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: webapp-service
namespace: app
spec:
selector:
app: webapp
ports:
- protocol: TCP
port: 80
targetPort: 8080
EOF
# Add ingress to access web app
cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: webapp-ingress
namespace: app
spec:
ingressClassName: nginx
rules:
- host: "webapp.kind.cluster"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: webapp-service
port:
number: 80
EOF