jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add vault-secrets-webhook

Browse Source
This commit is contained in:
Jonny Ervine 2023-10-06 21:28:26 +08:00
parent 81112fcf2f
commit 494a256132
16 changed files with 1669 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
vault-secrets-webhook/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

13
vault-secrets-webhook/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v2
appVersion: 1.19.0
description: A Helm chart that deploys a mutating admission webhook that configures applications to request secrets from Vault
home: https://banzaicloud.com/products/bank-vaults/
icon: https://raw.githubusercontent.com/banzaicloud/bank-vaults/main/docs/images/logo/bank-vaults-logo.svg
maintainers:
- email: info@banzaicloud.com
name: Banzai Cloud
name: vault-secrets-webhook
sources:
- https://github.com/banzaicloud/bank-vaults
type: application
version: 1.19.0

198
vault-secrets-webhook/README.md Normal file
View File

@ -0,0 +1,198 @@
# Vault Secrets webhook
This chart will install a mutating admission webhook, that injects an executable to containers in Pods which than can request secrets from Vault through environment variable definitions. Also, it can inject statically into ConfigMaps, Secrets, and CustomResources.
## Before you start
Before you install this chart you must create a namespace for it, this is due to the order in which the resources in the charts are applied (Helm collects all of the resources in a given Chart and it's dependencies, groups them by resource type, and then installs them in a predefined order (see [here](https://github.com/helm/helm/blob/release-2.10/pkg/tiller/kind_sorter.go#L29) - Helm 2.10).
The `MutatingWebhookConfiguration` gets created before the actual backend Pod which serves as the webhook itself, Kubernetes would like to mutate that pod as well, but it is not ready to mutate yet (infinite recursion in logic).
## Using External Vault Instances
You will need to add the following annotations to the resources that you wish to mutate:
```yaml
vault.security.banzaicloud.io/vault-addr: https://[URL FOR VAULT]
vault.security.banzaicloud.io/vault-path: [Auth path]
vault.security.banzaicloud.io/vault-role: [Auth role]
vault.security.banzaicloud.io/vault-skip-verify: "true" # Container is missing Trusted Mozilla roots too.
```
Be mindful how you reference Vault secrets itself. For KV v2 secrets, you will need to add the /data/ to the path of the secret.
```
PS C:\> vault kv get kv/rax/test
====== Metadata ======
Key Value
--- -----
created_time 2019-09-21T16:55:26.479739656Z
deletion_time n/a
destroyed false
version 1
=========== Data ===========
Key Value
--- -----
MYSQL_PASSWORD 3xtr3ms3cr3t
MYSQL_ROOT_PASSWORD s3cr3t
```
The secret shown above is referenced like this:
```
vault:[ENGINE]/data/[SECRET_NAME]#KEY
vault:kv/rax/data/test#MYSQL_PASSWORD
```
If you want to use a specific key version, you can append it after the key so it becomes like this:
`vault:kv/rax/data/test#MYSQL_PASSWORD#1`
Omitting the version will tell Vault to pull the latest version.
## Installing the Chart
**In case of the K8s version is lower than 1.15 the namespace where you install the webhook must have a label of `name` with the namespace name as the label value, so the `namespaceSelector` in the `MutatingWebhookConfiguration` can skip the namespace of the webhook, so no self-mutation takes place. If the K8s version is 1.15 at least, the default `objectSelector` will prevent the self-mutation (you don't have to configure anything) and you are free to install to any namespace of your choice.**.
```bash
# You have to do this only in case you are not using Helm 3.2 or later and Kubernetes 1.15 or later.
WEBHOOK_NS=${WEBHOOK_NS:-vswh}
kubectl create namespace "${WEBHOOK_NS}"
kubectl label ns "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
```
```bash
$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/
$ helm repo update
```
```bash
$ helm upgrade --namespace vswh --install vswh banzaicloud-stable/vault-secrets-webhook --create-namespace
```
**NOTE**: `--wait` is sometimes necessary because of some Helm timing issues, please see [this issue](https://github.com/banzaicloud/banzai-charts/issues/888).
### Openshift 4.3
For security reasons, the `runAsUser` must be in the range between 1000570000 and 1000579999. By setting the value of `securityContext.runAsUser` to "", OpenShift chooses a valid User.
```bash
$ helm upgrade --namespace vswh --install vswh banzaicloud-stable/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
```
### About GKE Private Clusters
When Google configures the control plane for private clusters, they automatically configure VPC peering between your Kubernetes clusters network in a separate Google managed project.
The auto-generated rules **only** open ports 10250 and 443 between masters and nodes. This means that to use the webhook component with a GKE private cluster, you must configure an additional firewall rule to allow your masters CIDR to access your webhook pod using the port 8443.
You can read more information on how to add firewall rules for the GKE control plane nodes in the [GKE docs](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules).
## Configuration
The following tables lists configurable parameters of the vault-secrets-webhook chart and their default values:
| Parameter | Description | Default |
|------------------------------------|-------------------------------------------------------------------------------|----------------------------------------------------------|
| affinity | affinities to use | `{}` |
| debug | debug logs for webhook | `false` |
| image.pullPolicy | image pull policy | `IfNotPresent` |
| image.repository | image repo that contains the admission server | `ghcr.io/banzaicloud/vault-secrets-webhook` |
| image.tag | image tag | `.Chart.AppVersion` |
| image.imagePullSecrets | image pull secrets for private repositories | `[]` |
| vaultEnv.repository | image repo that contains the vault-env container | `ghcr.io/banzaicloud/vault-env` |
| vaultEnv.tag | image tag for the vault-env container | `.Chart.AppVersion` |
| namespaceSelector | namespace selector to use, will limit webhook scope | `{}` |
| objectSelector | object selector to use, will limit webhook scope (K8s version 1.15+) | `{}` |
| nodeSelector | node selector to use | `{}` |
| labels | extra labels to add to the deployment and pods | `{}` |
| podAnnotations | extra annotations to add to pod metadata | `{}` |
| replicaCount | number of replicas | `2` |
| resources | resources to request | `{}` |
| service.externalPort | webhook service external port | `443` |
| service.name | webhook service name | `vault-secrets-webhook` |
| service.type | webhook service type | `ClusterIP` |
| tolerations | tolerations to add | `[]` |
| topologySpreadConstraints | topologySpreadConstraints to add | `{}` |
| rbac.psp.enabled | use pod security policy | `false` |
| rbac.authDelegatorRole.enabled | bind `system:auth-delegator` to the ServiceAccount | `false` |
| env.VAULT_IMAGE | vault image | `vault:1.6.2` |
| env.VAULT_ENV_CPU_REQUEST | cpu requests for init-containers vault-env and copy-vault-env | `50m` |
| env.VAULT_ENV_MEMORY_REQUEST | memory requests for init-containers vault-env and copy-vault-env | `64Mi` |
| env.VAULT_ENV_CPU_LIMIT | cpu limits for init-containers vault-env and copy-vault-env | `250m` |
| env.VAULT_ENV_MEMORY_LIMIT | memory limits for init-containers vault-env and copy-vault-env | `64Mi` |
| env.VAULT_ENV_LOG_SERVER | define remote log server for vault-env | `` |
| initContainers | containers, which are run before the app containers are started | `[]` |
| volumes | extra volume definitions | `[]` |
| volumeMounts | extra volume mounts | `[]` |
| configMapMutation | enable injecting values from Vault to ConfigMaps | `false` |
| secretsMutation | enable injecting values from Vault to Secrets | `true` |
| deployment.strategy | rolling strategy for webhook deployment | `{}` |
| pods.objectSelector | object selector to use - ( overrides root ObjectSelector ) | `{}` |
| pods.namespaceSelector | namespace selector to use - ( overrides root namespaceSelector ) | `{}` |
| secrets.objectSelector | object selector to use - ( overrides root ObjectSelector ) | `{}` |
| secrets.namespaceSelector | namespace selector to use - ( overrides root namespaceSelector ) | `{}` |
| configMaps.objectSelector | object selector to use - ( overrides root ObjectSelector ) | `{}` |
| configMaps.namespaceSelector | namespace selector to use - ( overrides root namespaceSelector ) | `{}` |
| customResources.objectSelector | object selector to use - ( overrides root ObjectSelector ) | `{}` |
| customResources.namespaceSelector | namespace selector to use - ( overrides root namespaceSelector ) | `{}` |
| customResourceMutations | list of CustomResources to inject values from Vault | `[]` |
| podDisruptionBudget.enabled | enable PodDisruptionBudget | `true` |
| podDisruptionBudget.minAvailable | represents the number of Pods that must be available (integer or percentage) | `1` |
| podDisruptionBudget.maxUnavailable | represents the number of Pods that can be unavailable (integer or percentage) | ` ` |
| certificate.generate | should a new CA and TLS certificate be generated for the webhook | `true` |
| certificate.useCertManager | should request cert-manager for getting a new CA and TLS certificate | `false` |
| certificate.servingCertificate | should use an already externally defined Certificate by cert-manager | `null` |
| certificate.ca.crt | Base64 encoded CA certificate | `` |
| certificate.server.tls.crt | Base64 encoded TLS certificate signed by the CA | `` |
| certificate.server.tls.key | Base64 encoded private key of TLS certificate signed by the CA | `` |
| apiSideEffectValue | Webhook sideEffect value | `NoneOnDryRun` |
| securityContext | Container security context for webhook deployment | `{ runAsUser: 65534, allowPrivaledgeEscalation: false }` |
| podSecurityContext | Pod security context for webhook deployment | `{}` |
| timeoutSeconds | Webhook timeoutSeconds value | `` |
| hostNetwork | allow pod to use the node network namespace | `false` |
| dnsPolicy | The dns policy desired for the deployment | `` |
| kubeVersion | Override cluster version | `` |
### Certificate options
There are the following options for suppling the webhook with CA and TLS certificates.
#### Generate (default)
The default option is to let helm generate the CA and TLS certificates on deploy time.
This will renew the certificates on each deployment.
```
certificate:
generate: true
```
#### Manually supplied
Another option is to generate everything manually and specify the TLS `crt` and `key` plus the CA `crt` as values.
These values need to be base64 encoded x509 certificates.
```yaml
certificate:
generate: false
server:
tls:
crt: LS0tLS1...
key: LS0tLS1...
ca:
crt: LS0tLS1...
```
#### Using cert-manager
If you use cert-manager in your cluster, you can instruct cert-manager to manage everything.
The following options will let cert-manager generate TLS `certificate` and `key` plus the CA `certificate`.
```yaml
certificate:
generate: false
useCertManager: true
```

111
vault-secrets-webhook/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,111 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vault-secrets-webhook.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "vault-secrets-webhook.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vault-secrets-webhook.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "vault-secrets-webhook.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "vault-secrets-webhook.fullname" .) }}
{{- end -}}
{{- define "vault-secrets-webhook.rootCAIssuer" -}}
{{ printf "%s-ca" (include "vault-secrets-webhook.fullname" .) }}
{{- end -}}
{{- define "vault-secrets-webhook.rootCACertificate" -}}
{{ printf "%s-ca" (include "vault-secrets-webhook.fullname" .) }}
{{- end -}}
{{- define "vault-secrets-webhook.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "vault-secrets-webhook.fullname" .) }}
{{- end -}}
{{/*
Overrideable version for container image tags.
*/}}
{{- define "vault-secrets-webhook.bank-vaults.version" -}}
{{- .Values.image.tag | default (printf "%s" .Chart.AppVersion) -}}
{{- end -}}
{{- define "vault-secrets-webhook.vault-env.version" -}}
{{- .Values.vaultEnv.tag | default (printf "%s" .Chart.AppVersion) -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "vault-secrets-webhook.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "vault-secrets-webhook.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Return the target Kubernetes version.
https://github.com/bitnami/charts/blob/master/bitnami/common/templates/_capabilities.tpl
*/}}
{{- define "vault-secrets-webhook.capabilities.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for policy.
*/}}
{{- define "vault-secrets-webhook.capabilities.policy.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "vault-secrets-webhook.capabilities.ingress.apiVersion" -}}
{{- if .Values.ingress -}}
{{- if .Values.ingress.apiVersion -}}
{{- .Values.ingress.apiVersion -}}
{{- else if semverCompare "<1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
{{- else if semverCompare "<1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}

367
vault-secrets-webhook/templates/apiservice-webhook.yaml Normal file
View File

@ -0,0 +1,367 @@
{{- $tlsCrt := "" }}
{{- $tlsKey := "" }}
{{- $caCrt := "" }}
{{- if .Values.certificate.generate }}
{{- $ca := genCA "svc-cat-ca" 3650 }}
{{- $svcName := include "vault-secrets-webhook.fullname" . }}
{{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }}
{{- $altName1 := printf "%s.cluster.local" $cn }}
{{- $altName2 := printf "%s" $cn }}
{{- $server := genSignedCert $cn nil (concat (list $altName1 $altName2) .Values.certificate.extraAltNames) 365 $ca }}
{{- $tlsCrt = b64enc $server.Cert }}
{{- $tlsKey = b64enc $server.Key }}
{{- $caCrt = b64enc $ca.Cert }}
{{- else if .Values.certificate.useCertManager }}
{{/* Create a new Certificate with cert-manager. */}}
{{/* all clientConfig.caBundle will be overridden by cert-manager */}}
{{- else if .Values.certificate.servingCertificate }}
{{/* Use an already externally defined Certificate by cert-manager. */}}
{{/* all clientConfig.caBundle will be overridden by cert-manager */}}
{{- else }}
{{- $tlsCrt = required "Value certificate.server.tls.crt is required when certificate.generate is false" .Values.certificate.server.tls.crt }}
{{- $tlsKey = required "Value certificate.server.tls.key is required when certificate.generate is false" .Values.certificate.server.tls.key }}
{{- $caCrt = required "Value certificate.ca.crt is required when certificate.generate is false" .Values.certificate.ca.crt }}
{{- end }}
{{- $secretsNamespaceSelector := default dict }}
{{- $secretsObjectSelector := default dict }}
{{- $configmapsNamespaceSelector := default dict }}
{{- $configmapsObjectSelector := default dict }}
{{- $podsNamespaceSelector := default dict }}
{{- $podsObjectSelector := default dict }}
{{- $crNamespaceSelector := default dict }}
{{- $crObjectSelector := default dict }}
{{- if .Values.secrets.namespaceSelector }}
{{- $secretsNamespaceSelector = .Values.secrets.namespaceSelector }}
{{- else }}
{{- $secretsNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.secrets.objectSelector }}
{{- $secretsObjectSelector = .Values.secrets.objectSelector }}
{{- else }}
{{- $secretsObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if .Values.configMaps.namespaceSelector }}
{{- $configmapsNamespaceSelector = .Values.configMaps.namespaceSelector }}
{{- else }}
{{- $configmapsNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.configMaps.objectSelector }}
{{- $configmapsObjectSelector = .Values.configMaps.objectSelector }}
{{- else }}
{{- $configmapsObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if .Values.pods.namespaceSelector }}
{{- $podsNamespaceSelector = .Values.pods.namespaceSelector }}
{{- else }}
{{- $podsNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.pods.objectSelector }}
{{- $podsObjectSelector = .Values.pods.objectSelector }}
{{- else }}
{{- $podsObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if .Values.customResources.namespaceSelector }}
{{- $crNamespaceSelector = .Values.customResources.namespaceSelector }}
{{- else }}
{{- $crNamespaceSelector = .Values.namespaceSelector }}
{{- end }}
{{- if .Values.customResources.objectSelector }}
{{- $crObjectSelector = .Values.customResources.objectSelector }}
{{- else }}
{{- $crObjectSelector = .Values.objectSelector }}
{{- end }}
{{- if $tlsCrt }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "vault-secrets-webhook.servingCertificate" . }}
namespace: {{ .Release.Namespace }}
data:
tls.crt: {{ $tlsCrt }}
tls.key: {{ $tlsKey }}
ca.crt: {{ $caCrt }}
{{- end }}
---
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.certificate.useCertManager }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "vault-secrets-webhook.servingCertificate" . }}"
{{- else if .Values.certificate.servingCertificate }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ .Values.certificate.servingCertificate }}"
{{- end }}
webhooks:
- name: pods.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
{{- with .Values.reinvocationPolicy }}
reinvocationPolicy: {{ . }}
{{- end }}
admissionReviewVersions: ["v1beta1"]
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /pods
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- pods
failurePolicy: {{ .Values.podsFailurePolicy }}
namespaceSelector:
{{- if $podsNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $podsNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $podsNamespaceSelector.matchExpressions }}
{{ toYaml $podsNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $podsObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $podsObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $podsObjectSelector.matchExpressions }}
{{ toYaml $podsObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- if .Values.secretsMutation }}
- name: secrets.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- with .Values.reinvocationPolicy }}
reinvocationPolicy: {{ . }}
{{- end }}
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
admissionReviewVersions: ["v1beta1"]
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /secrets
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- secrets
failurePolicy: {{ .Values.secretsFailurePolicy }}
namespaceSelector:
{{- if $secretsNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $secretsNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $secretsNamespaceSelector.matchExpressions }}
{{ toYaml $secretsNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $secretsObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $secretsObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $secretsObjectSelector.matchExpressions }}
{{ toYaml $secretsObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: owner
operator: NotIn
values:
- helm
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- end }}
{{- if .Values.configMapMutation }}
- name: configmaps.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
admissionReviewVersions: ["v1beta1"]
{{- with .Values.reinvocationPolicy }}
reinvocationPolicy: {{ . }}
{{- end }}
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /configmaps
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- configmaps
failurePolicy: {{ .Values.configmapFailurePolicy | default .Values.configMapFailurePolicy }}
namespaceSelector:
{{- if $configmapsNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $configmapsNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $configmapsNamespaceSelector.matchExpressions }}
{{ toYaml $configmapsNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $configmapsObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $configmapsObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $configmapsObjectSelector.matchExpressions }}
{{ toYaml $configmapsObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: owner
operator: NotIn
values:
- helm
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- end }}
{{- if .Values.customResourceMutations }}
- name: objects.{{ template "vault-secrets-webhook.name" . }}.admission.banzaicloud.com
{{- if semverCompare ">=1.14-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
admissionReviewVersions: ["v1beta1"]
{{- if .Values.timeoutSeconds }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
{{- end }}
{{- end }}
clientConfig:
{{- if .Values.webhookClientConfig.useUrl }}
url: {{ .Values.webhookClientConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.fullname" . }}
path: /objects
{{- end }}
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
{{ toYaml .Values.customResourceMutations | indent 6 }}
failurePolicy: {{ .Values.customResourcesFailurePolicy }}
namespaceSelector:
{{- if $crNamespaceSelector.matchLabels }}
matchLabels:
{{ toYaml $crNamespaceSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $crNamespaceSelector.matchExpressions }}
{{ toYaml $crNamespaceSelector.matchExpressions | indent 4 }}
{{- end }}
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- if semverCompare ">=1.15-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
objectSelector:
{{- if $crObjectSelector.matchLabels }}
matchLabels:
{{ toYaml $crObjectSelector.matchLabels | indent 6 }}
{{- end }}
matchExpressions:
{{- if $crObjectSelector.matchExpressions }}
{{ toYaml $crObjectSelector.matchExpressions | indent 4 }}
{{- end }}
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
{{- end }}
{{- if semverCompare ">=1.12-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
sideEffects: {{ .Values.apiSideEffectValue }}
{{- end }}
{{- end }}

61
vault-secrets-webhook/templates/prometheus-monitorservice.yaml Normal file
View File

@ -0,0 +1,61 @@
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ template "vault-secrets-webhook.chart" . }}
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: mutating-webhook
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
spec:
endpoints:
- interval: 30s
port: metrics
scheme: {{ .Values.metrics.serviceMonitor.scheme }}
{{- if .Values.metrics.serviceMonitor.relabellings }}
metricrelabelings:
{{ toYaml .Values.metrics.serviceMonitor.relabellings | indent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{ toYaml .Values.metrics.serviceMonitor.tlsConfig | indent 6 }}
{{- end }}
jobLabel: {{ template "vault-secrets-webhook.name" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
{{- end }}
{{- if .Values.metrics.enabled }}
---
apiVersion: v1
kind: Service
metadata:
annotations:
name: {{ template "vault-secrets-webhook.fullname" . }}-metrics
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ template "vault-secrets-webhook.chart" . }}
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: mutating-webhook
spec:
clusterIP: None
ports:
- name: metrics
port: {{ .Values.metrics.port }}
protocol: TCP
targetPort: {{ .Values.metrics.port }}
selector:
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
sessionAffinity: None
type: ClusterIP
{{- end }}

13
vault-secrets-webhook/templates/warnings.tpl Normal file
View File

@ -0,0 +1,13 @@
{{/* this file is for generating warnings about incorrect usage of the chart */}}
{{- if .Values.certificate.generate }}
{{- if .Values.certificate.useCertManager }}
{{ fail "It is not allowed to both set certificate.generate=true and certificate.useCertManager=true."}}
{{- end }}
{{- end }}
{{- if .Values.webhookClientConfig.useUrl -}}
{{- if or (not .Values.webhookClientConfig.url ) }}
{{ fail "When webhookClientConfig.useUrl=true webhookClientConfig.url should be set and not empty "}}
{{- end }}
{{- end }}

82
vault-secrets-webhook/templates/webhook-cert-manager.yaml Normal file
View File

@ -0,0 +1,82 @@
{{- if .Values.certificate.useCertManager }}
---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "vault-secrets-webhook.selfSignedIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "vault-secrets-webhook.name" . }}
chart: {{ include "vault-secrets-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "vault-secrets-webhook.rootCACertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "vault-secrets-webhook.name" . }}
chart: {{ include "vault-secrets-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "vault-secrets-webhook.rootCACertificate" . }}
duration: 43800h0m0s # 5y
issuerRef:
name: {{ include "vault-secrets-webhook.selfSignedIssuer" . }}
commonName: "ca.vault-secrets-webhook.cert-manager"
isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "vault-secrets-webhook.rootCAIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "vault-secrets-webhook.name" . }}
chart: {{ include "vault-secrets-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ca:
secretName: {{ include "vault-secrets-webhook.rootCACertificate" . }}
---
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "vault-secrets-webhook.servingCertificate" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "vault-secrets-webhook.name" . }}
chart: {{ include "vault-secrets-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
secretName: {{ include "vault-secrets-webhook.servingCertificate" . }}
duration: 8760h0m0s # 1y
issuerRef:
name: {{ include "vault-secrets-webhook.rootCAIssuer" . }}
dnsNames:
- {{ include "vault-secrets-webhook.fullname" . }}
- {{ include "vault-secrets-webhook.fullname" . }}.{{ .Release.Namespace }}
- {{ include "vault-secrets-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
{{- range .Values.certificate.extraAltNames }}
- {{ . }}
{{- end }}
{{- end }}

124
vault-secrets-webhook/templates/webhook-deployment.yaml Normal file
View File

@ -0,0 +1,124 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ template "vault-secrets-webhook.chart" . }}
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: mutating-webhook
{{- if .Values.labels }}
{{ toYaml .Values.labels | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.deployment }}
{{- if .Values.deployment.strategy }}
strategy:
{{ toYaml .Values.deployment.strategy | indent 4 }}
{{- end }}
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
security.banzaicloud.io/mutate: skip
{{- if .Values.labels }}
{{ toYaml .Values.labels | indent 8 }}
{{- end }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/apiservice-webhook.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.hostNetwork}}
hostNetwork: {{ .Values.hostNetwork}}
{{- end }}
{{- with .Values.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
serviceAccountName: {{ template "vault-secrets-webhook.serviceAccountName" . }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
volumes:
- name: serving-cert
secret:
defaultMode: 420
secretName: {{ include "vault-secrets-webhook.servingCertificate" . }}
{{- if .Values.volumes }}
{{ toYaml .Values.volumes | indent 8 }}
{{- end }}
{{- if .Values.image.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.image.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.initContainers }}
initContainers:
{{ toYaml .Values.initContainers | indent 8}}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ include "vault-secrets-webhook.bank-vaults.version" . }}"
env:
- name: TLS_CERT_FILE
value: /var/serving-cert/tls.crt
- name: TLS_PRIVATE_KEY_FILE
value: /var/serving-cert/tls.key
- name: LISTEN_ADDRESS
value: ":{{ .Values.service.internalPort }}"
{{- if .Values.debug }}
- name: LOG_LEVEL
value: "debug"
{{- end }}
- name: VAULT_ENV_IMAGE
value: "{{ .Values.vaultEnv.repository }}:{{ include "vault-secrets-webhook.vault-env.version" . }}"
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: {{ .Values.service.internalPort }}
volumeMounts:
- mountPath: /var/serving-cert
name: serving-cert
{{- if .Values.volumeMounts }}
{{ toYaml .Values.volumeMounts | indent 12 }}
{{- end }}
securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}

28
vault-secrets-webhook/templates/webhook-ingress.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.ingress.enabled }}
---
apiVersion: {{ include "vault-secrets-webhook.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.ingress.annotations }}
annotations:
{{ toYaml .Values.ingress.annotations | indent 4 }}
{{- end }}
spec:
tls:
- hosts:
- {{ .Values.ingress.host }}
secretName: {{ include "vault-secrets-webhook.servingCertificate" . }}
rules:
- host: {{ .Values.ingress.host }}
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: {{ template "vault-secrets-webhook.fullname" . }}
port:
number: {{ .Values.service.externalPort }}
{{- end }}

24
vault-secrets-webhook/templates/webhook-pdb.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: {{ include "vault-secrets-webhook.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ template "vault-secrets-webhook.chart" . }}
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: mutating-webhook
spec:
{{- with .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

65
vault-secrets-webhook/templates/webhook-psp.yaml Normal file
View File

@ -0,0 +1,65 @@
{{- if .Values.rbac.psp.enabled }}
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
apiVersion: policy/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
spec:
allowPrivilegeEscalation: false
allowedCapabilities:
- IPC_LOCK
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- secret
- emptyDir
- configMap
---
{{- if semverCompare ">=1.16-0" (include "vault-secrets-webhook.capabilities.kubeVersion" .) }}
apiVersion: policy/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
name: {{ template "vault-secrets-webhook.fullname" . }}.mutate
namespace: {{ .Release.Namespace }}
spec:
allowPrivilegeEscalation: false
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
- downwardAPI
- emptyDir
- configMap
{{- end }}

93
vault-secrets-webhook/templates/webhook-rbac.yaml Normal file
View File

@ -0,0 +1,93 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault-secrets-webhook.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
helm.sh/chart: {{ include "vault-secrets-webhook.chart" . }}
app.kubernetes.io/name: {{ include "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.serviceAccount.labels }}
{{ toYaml .Values.serviceAccount.labels | indent 4 }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- "get"
{{- if .Values.secretsMutation }}
- "update"
{{- end }}
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- "get"
- apiGroups:
- ""
resources:
- configmaps
verbs:
- "create"
- "update"
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- "create"
{{- if .Values.rbac.psp.enabled }}
- apiGroups:
- extensions
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ template "vault-secrets-webhook.fullname" . }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}-limited
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: {{ template "vault-secrets-webhook.fullname" . }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: {{ template "vault-secrets-webhook.serviceAccountName" . }}
{{- if .Values.rbac.authDelegatorRole.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "vault-secrets-webhook.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

25
vault-secrets-webhook/templates/webhook-service.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "vault-secrets-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ template "vault-secrets-webhook.chart" . }}
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: mutating-webhook
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

222
vault-secrets-webhook/values.home.yaml Normal file
View File

@ -0,0 +1,222 @@
# Default values for vault-secrets-webhook.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 2
debug: false
certificate:
useCertManager: false
servingCertificate: null
generate: true
server:
tls:
crt:
key:
ca:
crt:
extraAltNames: []
# use extra names if you want use the webhook via an ingress or a loadbalancer
image:
repository: ghcr.io/banzaicloud/vault-secrets-webhook
# tag: ""
pullPolicy: IfNotPresent
imagePullSecrets: []
service:
name: vault-secrets-webhook
type: ClusterIP
externalPort: 443
internalPort: 8443
annotations: {}
# Annotate service
# This can be used for example if type is AWS LoadBalancer and you want to add security groups
ingress:
enabled: false
annotations: {}
# dns of ingress for vault-webhook
# host: example.com
webhookClientConfig:
# By default the mutating webhook uses the service of the webhook directly to contact webhook
# Use url if webhook should be contacted over loadbalancer or ingress instead of service object
useUrl: false
# set the url how the webhook should be contacted (including protocol https://)
# url: https://example.com
vaultEnv:
repository: ghcr.io/banzaicloud/vault-env
# tag: ""
env:
VAULT_IMAGE: vault:1.6.2
# VAULT_CAPATH: /vault/tls
# # Used when the pod that should get secret injected does not
# # specify an imagePullSecret
# DEFAULT_IMAGE_PULL_SECRET:
# DEFAULT_IMAGE_PULL_SECRET_NAMESPACE:
# DEFAULT_IMAGE_PULL_SECRET_SERVICE_ACCOUNT
# VAULT_CLIENT_TIMEOUT: 10s
# # define the webhook's role in Vault used for authentication,
# # if not defined individually in resources by annotations.
# VAULT_ROLE: vault-secrets-webhook
# Resource requests and limits for init containers
# VAULT_ENV_CPU_REQUEST:
# VAULT_ENV_MEMORY_REQUEST:
# VAULT_ENV_CPU_LIMIT:
# VAULT_ENV_MEMORY_LIMIT
# VAULT_ENV_LOG_SERVER:
initContainers: []
## Containers, which are run before the app containers are started.
# - name: init-myservice
# image: busybox
# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
metrics:
enabled: true
port: 8443
serviceMonitor:
enabled: true
scheme: https
tlsConfig:
insecureSkipVerify: true
securityContext:
runAsUser: 65534
allowPrivilegeEscalation: false
podSecurityContext: {}
volumes: []
# - name: vault-tls
# secret:
# secretName: vault-tls
volumeMounts: []
# - name: vault-tls
# mountPath: /vault/tls
podAnnotations: {}
labels: {}
# team: banzai
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: {}
## Assign a PriorityClassName to pods if set
priorityClassName: ""
rbac:
psp:
enabled: false
authDelegatorRole:
enabled: false
serviceAccount:
# Specifies whether a service account should be created
create: true
# Labels to add to the service account
labels: {}
# Annotations to add to the service account
annotations: {}
# Enables GKE workload identity
# iam.gke.io/gcp-service-account: gsa@project.iam.gserviceaccount.com
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
deployment:
# Strategy for the deployment
strategy: {}
# A list of Kubernetes resource types to mutate as well:
# Example: ["ingresses", "servicemonitors"]
customResourceMutations: []
customResourcesFailurePolicy: Ignore
# This can cause issues when used with Helm, so it is not enabled by default
configMapMutation: false
# Whether to mutate Secrets with values from Vault. Set to false in order to prevent secret values from being persisted in Kubernetes.
secretsMutation: true
configMapFailurePolicy: Ignore
podsFailurePolicy: Ignore
secretsFailurePolicy: Ignore
apiSideEffectValue: NoneOnDryRun
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
# https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
# matchLabels:
# vault-injection: enabled
# In case of the K8s cluster version is above 1.15 objectSelector is usable
objectSelector: {}
# matchExpressions:
# - key: security.banzaicloud.io/mutate
# operator: NotIn
# values:
# - skip
# matchLabels:
# vault-injection: enabled
# objectSelector & namespaceSelector for secrets resource (overrides `objectSelector`); Requires K8s 1.15+
secrets:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for pods resource (overrides `objectSelector`); Requires K8s 1.15+
pods:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for configmap resource (overrides `objectSelector`); Requires K8s 1.15+
configMaps:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for customResource resource (overrides `objectSelector`); Requires K8s 1.15+
customResources:
objectSelector: {}
namespaceSelector: {}
podDisruptionBudget:
enabled: true
minAvailable: 1
# maxUnavailable: 1
timeoutSeconds: false
hostNetwork: false
# If you're using celium (CNI) and you are required to set hostNetwork to true
# then pods with webhooks must set the dnsPolicy to "ClusterFirstWithHostNet"
dnsPolicy: ""
# Override cluster version
kubeVersion: ""

222
vault-secrets-webhook/values.yaml Normal file
View File

@ -0,0 +1,222 @@
# Default values for vault-secrets-webhook.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 2
debug: false
certificate:
useCertManager: false
servingCertificate: null
generate: true
server:
tls:
crt:
key:
ca:
crt:
extraAltNames: []
# use extra names if you want use the webhook via an ingress or a loadbalancer
image:
repository: ghcr.io/banzaicloud/vault-secrets-webhook
# tag: ""
pullPolicy: IfNotPresent
imagePullSecrets: []
service:
name: vault-secrets-webhook
type: ClusterIP
externalPort: 443
internalPort: 8443
annotations: {}
# Annotate service
# This can be used for example if type is AWS LoadBalancer and you want to add security groups
ingress:
enabled: false
annotations: {}
# dns of ingress for vault-webhook
# host: example.com
webhookClientConfig:
# By default the mutating webhook uses the service of the webhook directly to contact webhook
# Use url if webhook should be contacted over loadbalancer or ingress instead of service object
useUrl: false
# set the url how the webhook should be contacted (including protocol https://)
# url: https://example.com
vaultEnv:
repository: ghcr.io/banzaicloud/vault-env
# tag: ""
env:
VAULT_IMAGE: vault:1.6.2
# VAULT_CAPATH: /vault/tls
# # Used when the pod that should get secret injected does not
# # specify an imagePullSecret
# DEFAULT_IMAGE_PULL_SECRET:
# DEFAULT_IMAGE_PULL_SECRET_NAMESPACE:
# DEFAULT_IMAGE_PULL_SECRET_SERVICE_ACCOUNT
# VAULT_CLIENT_TIMEOUT: 10s
# # define the webhook's role in Vault used for authentication,
# # if not defined individually in resources by annotations.
# VAULT_ROLE: vault-secrets-webhook
# Resource requests and limits for init containers
# VAULT_ENV_CPU_REQUEST:
# VAULT_ENV_MEMORY_REQUEST:
# VAULT_ENV_CPU_LIMIT:
# VAULT_ENV_MEMORY_LIMIT
# VAULT_ENV_LOG_SERVER:
initContainers: []
## Containers, which are run before the app containers are started.
# - name: init-myservice
# image: busybox
# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
metrics:
enabled: false
port: 8443
serviceMonitor:
enabled: false
scheme: https
tlsConfig:
insecureSkipVerify: true
securityContext:
runAsUser: 65534
allowPrivilegeEscalation: false
podSecurityContext: {}
volumes: []
# - name: vault-tls
# secret:
# secretName: vault-tls
volumeMounts: []
# - name: vault-tls
# mountPath: /vault/tls
podAnnotations: {}
labels: {}
# team: banzai
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: {}
## Assign a PriorityClassName to pods if set
priorityClassName: ""
rbac:
psp:
enabled: false
authDelegatorRole:
enabled: false
serviceAccount:
# Specifies whether a service account should be created
create: true
# Labels to add to the service account
labels: {}
# Annotations to add to the service account
annotations: {}
# Enables GKE workload identity
# iam.gke.io/gcp-service-account: gsa@project.iam.gserviceaccount.com
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
deployment:
# Strategy for the deployment
strategy: {}
# A list of Kubernetes resource types to mutate as well:
# Example: ["ingresses", "servicemonitors"]
customResourceMutations: []
customResourcesFailurePolicy: Ignore
# This can cause issues when used with Helm, so it is not enabled by default
configMapMutation: false
# Whether to mutate Secrets with values from Vault. Set to false in order to prevent secret values from being persisted in Kubernetes.
secretsMutation: true
configMapFailurePolicy: Ignore
podsFailurePolicy: Ignore
secretsFailurePolicy: Ignore
apiSideEffectValue: NoneOnDryRun
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
# https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
# matchLabels:
# vault-injection: enabled
# In case of the K8s cluster version is above 1.15 objectSelector is usable
objectSelector: {}
# matchExpressions:
# - key: security.banzaicloud.io/mutate
# operator: NotIn
# values:
# - skip
# matchLabels:
# vault-injection: enabled
# objectSelector & namespaceSelector for secrets resource (overrides `objectSelector`); Requires K8s 1.15+
secrets:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for pods resource (overrides `objectSelector`); Requires K8s 1.15+
pods:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for configmap resource (overrides `objectSelector`); Requires K8s 1.15+
configMaps:
objectSelector: {}
namespaceSelector: {}
# objectSelector & namespaceSelector for customResource resource (overrides `objectSelector`); Requires K8s 1.15+
customResources:
objectSelector: {}
namespaceSelector: {}
podDisruptionBudget:
enabled: true
minAvailable: 1
# maxUnavailable: 1
timeoutSeconds: false
hostNetwork: false
# If you're using celium (CNI) and you are required to set hostNetwork to true
# then pods with webhooks must set the dnsPolicy to "ClusterFirstWithHostNet"
dnsPolicy: ""
# Override cluster version
kubeVersion: ""