The vault-kubernetes-authenticator
is a small application/container that performs the HashiCorp Vault kubernetes authentication process and places the Vault token in a well-known, configurable location. It is most commonly used as an init container to supply a Vault token to applications or services that are unaware of Vault.
-
VAULT_ADDR
- the address to the Vault server, including the protocol and port (likehttps://my.vault.server:8200
). This defaults tohttps://127.0.0.1:8200
if unspecified. -
VAULT_CAPEM
- the raw PEM contents of the CA file to use for SSL verification. -
VAULT_CACERT
- the path on disk to a single CA file to use for TSL verification. -
VAULT_CAPATH
- the path on disk to a directory of CA files (non-recursive) to use for TLS verification. -
VAULT_SKIP_VERIFY
- disable SSL validation (not recommended) -
VAULT_ROLE
- Required the name of the Vault role to use for authentication. -
VAULT_NAMESPACE
- the Vault namespace, only available in Vault Enterprise -
TOKEN_DEST_PATH
- the destination path on disk to store the token. Usually this is a shared volume. Defaults to/var/run/secrets/vaultproject.io/.vault-token
. -
ACCESSOR_DEST_PATH
- the destination path on disk to store the accessor. Usually this is a shared volume. Defaults to/var/run/secrets/vaultproject.io/.vault-accessor
. -
SERVICE_ACCOUNT_PATH
- the path on disk where the kubernetes service account jtw token lives. This defaults to/var/run/secrets/kubernetes.io/serviceaccount/token
. -
VAULT_K8S_MOUNT_PATH
- the name of the mount where the Kubernetes auth method is enabled. This defaults tokubernetes
, but if you changed the mount path you will need to set this value to that path.vault auth enable -path=k8s kubernetes -> VAULT_K8S_MOUNT_PATH=k8s
---
apiVersion: v1
kind: Pod
metadata:
name: vault-auther
spec:
securityContext:
runAsUser: 1001
fsGroup: 1001
volumes:
- name: vault-auth
emptyDir:
medium: Memory
- name: vault-secrets
emptyDir:
medium: Memory
initContainers:
- name: vault-authenticator
image: sethvargo/vault-kubernetes-authenticator:0.2.0
imagePullPolicy: Always
volumeMounts:
- name: vault-auth
mountPath: /var/run/secrets/vaultproject.io
env:
- name: VAULT_ROLE
value: myapp-role
securityContext:
allowPrivilegeEscalation: false
containers:
# Your other containers would read from /home/vault/.vault-token, or set
# HOME to /home/vault
- name: consul-template
image: hashicorp/consul-template:0.19.5.alpine
volumeMounts:
- name: vault-auth
mountPath: /home/vault
- name: vault-secrets
mountPath: /var/run/secrets/vaultproject.io
env:
- name: HOME
value: /home/vault
# ...