Vault2Secrets is developed to solve the problem of syncing secrets stored on Hashicorp's Vault with Kubernetes.
Operators want to allow Developers to self-deploy their apps onto Kubernetes without them having access to sensitive data that they need to use in the normal functioning of their apps.
Operators would store such sensitive data into an external resource like Hashicorp Vault and like them to be automatically injected as Environment Variables within those deployed application pods.
Vault2Secrets is a Kubernetes Controller that can be deployed on a Kubernetes Cluster which makes use of a ThirdPartyResources called CustomSecret to retrieve Hashicorp Vault stored data and convert them into secure Kubernetes Secret Objects.
Operators can then reference these Secret Objects to be loaded onto their deployment's environment variables.
Whenever the Vault Secret that is being monitored has a change, Vault2Secrets will be able to automatically pick it up and update the respective Vault Secret Objects.
To get a local copy of the controller running in docker, please run
make docker
This will pull all the necessary dependencies and build a binary in the current directory
To deploy, you can find the example scripts in examples/
TL;DR
kubectl create -f examples/tpr.ymlkubectl create -f examples/vault2secrets.yml- Modify
examples/generic-secret.ymlwith yourVAULT TOKENand deploy - Modify
examples/example-custom-secret.ymland deploy
A slightly detailed instruction can be found here
This controller wouldn't be possible if not for @kelseyhightower Kubernetes Certificate Manager and his presentation at PuppetConf 2016.
Also many thanks to Chu Yeow for all the advice he has given me.