This mutating webhook allows you to use secret references (secrethub://path/to/secret) in any containers spec, without including SecretHub in the image itself:
apiVersion: v1
kind: Pod
metadata:
name: my-app
annotations:
secrethub.io/mutate: my-app
spec:
containers:
- name: my-app
image: my-image
env:
- name: STRIPE_SECRET_KEY
value: secrethub://acme/app/prod/stripe/secret_key
- name: PGPASSWORD
value: secrethub://acme/app/prod/pg/passwordYou can annotate your pod spec with secrethub.io/mutate which expects a comma separated list of the names of the containers to mutate.
When the annotation is found:
- A volume which will hold the SecretHub CLI is created.
- An init container which copies the SecretHub CLI into the volume is created.
And for every container that is listed in the secrethub.io/mutate annotation:
- The volume is mounted to the container.
- The command is prefixed with
<path/to/volume>/secrethub run --.
The version of the SecretHub CLI Docker image to be used can optionally be configured with secrethub.io/version, e.g. secrethub.io/version: 0.39.0. If it is not set, the latest version is used. A list of available versions can be found here.
This project is based on and heavily inspired by Berglas's Kubernetes Mutating Webhook.
The simplest method to deploy the webhook is as a serverless function:
We're also working on a way to deploy the webhook in the Kubernetes cluster itself.