This is a Kubernetes Admission Webhook that can modify pods to interact with Vault. The basic use case is to attach a sidecar container running vault agent
and syncing the Vault token to be available to the other containers in the pod via a
volumeMount
.
Pods can customize their interaction with the webhook via annotations, see below.
A helm chart is available to deploy this project to your cluster, see below.
| Annotation | Description | Examples |
|---|
vaultproject.io/vault_k8s_auth_role
| Required. Vault Kubernetes auth method role name for the pod to authenticate as. If this is not set, the Pod will not be modified by the admission webhook. | myapp
|
vaultproject.io/vault_agent_exit_after_auth
| Optional. Set this to "true"
(String, not Boolean) to exit the vault agent
container after a succesful token write. | "true"
|
Helm chart available in the helm/
directory. See the
values.yaml
there for available configuration options. The basic deployment will look something like:
# Install the admission webhook chart
helm upgrade vault-mutating-webhook ./helm/ --install --recreate-pods \
--set webhook.vault_addr=https://vault.example.com
- Create an issue
- Create a fork and branch for your change
- Make your change, including tests
- Create a merge request, ensure the pipeline passes
Unit tests are written with rspec and rack-test (See the Sinatra docs). They are meant to verify the Sinatra app responds with appropriate JSON when it receives requests like kube-apiserver would send it. Execute the tests with
bundle exec rspec
.
If you run into an rspec failure that dumps out abbreviated Sinatra response HTML, you can save the HTML to a file and view in your browser. The rendered HTML will have info about the failure from Sinatra:
it 'returns vault agent sidecar patches' do
json = test_admission_review.to_json
post('/vault-agent-sidecar', json, 'CONTENT_TYPE' => 'application/json')
File.open('./resp_body.html', 'w') { |file| file.write(last_response.body) }
# ...
Integration tests can be run with helm test
. They are meant to verify that a deployed Pod has a valid Vault token mounted into it's container(s). The test manifests are located in helm/templates/tests/
.
# initialize helm / tiller
kubectl create sa tiller -n kube-system
kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
helm init --service-account=tiller
# Create and use namespace for mutating admission webhook
kubectl create ns vault-mutating-webhook
kubectl config set-context $(kubectl config current-context) --namespace=vault-mutating-webhook
kubectl config set-context $(kubectl config current-context) --namespace=kube-system
# Install / upgrade the helm chart for testing
helm upgrade vault-mutating-webhook ./helm/ --install --recreate-pods \
--set create_test_resources=true
# Test the helm chart installation
helm test vault-mutating-webhook --parallel --cleanup
# Cleanup the extra test resources
kubectl delete ns vault-mutating-webhook-test
kubectl delete clusterrolebinding vault-auth-delegator
In the future, these integration tests should be executed in a pipeline using something like kind
or microk8s
.
Installs Phusion Passenger Standalone, RubyGems dependencies, and runs the Sinatra app in Passenger.
# Docker build, run, and push
docker build -t atheiman/vault-mutating-webhook .
docker run --rm -p 3000:3000 atheiman/vault-mutating-webhook
docker push atheiman/vault-mutating-webhook