Skip to content

Commit 6f68215

Browse files
nafisat2nafisat2
authored
feat(vault): enable k8s service registration (#1393)
1 parent 39bc80b commit 6f68215

File tree

1 file changed

+39
-0
lines changed

1 file changed

+39
-0
lines changed

vault/vault.libsonnet

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,41 @@ local kausal = import 'ksonnet-util/kausal.libsonnet';
145145
}),
146146
},
147147

148+
// This enables vault pods to be labeled as 'vault-active' (Vault K8s service registration),
149+
// indicating whether the pod is active or in standby mode
150+
// See https://developer.hashicorp.com/vault/docs/v1.10.x/configuration/service-registration/kubernetes#configuration
151+
withServiceRegistration(namespace, serviceAccount):: {
152+
local role = k.rbac.v1.role,
153+
local policyRule = k.rbac.v1.policyRule,
154+
local roleBinding = k.rbac.v1.roleBinding,
155+
local subject = k.rbac.v1.subject,
156+
_config+:: { vault+: { config+: {
157+
service_registration+: {
158+
kubernetes: {},
159+
},
160+
} } },
161+
role: role.new()
162+
+ role.metadata.withName('vault-role')
163+
+ role.metadata.withNamespace(namespace)
164+
+ role.withRules([
165+
policyRule.new()
166+
+ policyRule.withApiGroups([''])
167+
+ policyRule.withResources(['pods'])
168+
+ policyRule.withVerbs(['get', 'update', 'patch']),
169+
]),
170+
roleBinding: roleBinding.new()
171+
+ roleBinding.metadata.withName('vault-role-binding')
172+
+ roleBinding.metadata.withNamespace(namespace)
173+
+ roleBinding.roleRef.withApiGroup('rbac.authorization.k8s.io')
174+
+ roleBinding.roleRef.withKind('Role')
175+
+ roleBinding.roleRef.withName('vault-role')
176+
+ roleBinding.withSubjects([
177+
subject.withKind('ServiceAccount')
178+
+ subject.withName(serviceAccount)
179+
+ subject.withNamespace(namespace),
180+
]),
181+
},
182+
148183
local container = k.core.v1.container,
149184
local containerPort = k.core.v1.containerPort,
150185
local envVar = k.core.v1.envVar,
@@ -163,6 +198,10 @@ local kausal = import 'ksonnet-util/kausal.libsonnet';
163198
+ container.withEnv([
164199
envVar.fromFieldPath('POD_IP', 'status.podIP'),
165200
envVar.fromFieldPath('POD_NAME', 'metadata.name'),
201+
// These environment variables are needed to support Vault K8s service registration
202+
// See https://developer.hashicorp.com/vault/docs/v1.10.x/configuration/service-registration/kubernetes#configuration
203+
envVar.fromFieldPath('VAULT_K8S_POD_NAME', 'metadata.name'),
204+
envVar.fromFieldPath('VAULT_K8S_NAMESPACE', 'metadata.namespace'),
166205
envVar.new(
167206
'VAULT_CLUSTER_ADDR',
168207
'https://$(POD_NAME).vault.vault.svc.cluster.local.:%s' % this._config.vault.clusterPort

0 commit comments

Comments
 (0)