Warning: This project is in alpha phase and breaking changes are usual.

Kubevaulter are helper tools to handle secrets stored in vault inside your kubernetes cluster.

For authentication against vault, kubevaulter-init uses the Kubernetes service account token mounted by default into each pod by Kubernetes automatically. The token should reside under /var/run/secrets/kubernetes.io/serviceaccount/token and is signed by the Kubernetes signing CA

To use these tools vault must be correctly configured and
reachable from within the kubernetes cluster. kubernetes must support RBAC

and the api-server must be started with the flags --authorization-mode=RBAC and --service-account-lookup.

Also the correct service accounts and clusterRoles and RoleBindings must exist

This ClusterRole should exist by default, if not it has to be created.

- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    annotations:
      rbac.authorization.kubernetes.io/autoupdate: "true"
    creationTimestamp: null
    labels:
      kubernetes.io/bootstrapping: rbac-defaults
    name: system:auth-delegator
  rules:
  - apiGroups:
    - authentication.k8s.io
    resources:
    - tokenreviews
    verbs:
    - create
  - apiGroups:
    - authorization.k8s.io
    resources:
    - subjectaccessreviews
    verbs:
    - create

One service account need to exist with which vault authenticates against the kubernetes api.

apiVersion: v1
kind: ServiceAccount
metadata:
 name: vault-auth

For each pod that accesses secrets in vault, a service account should exist to authenticate against vault. This can also be the default namespace service account, depending on the needs.

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
 name: role-tokenreview-binding
 namespace: default
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: system:auth-delegator
subjects:
- kind: ServiceAccount
 name: vault-auth
 namespace: default

To use authentication via service account tokens, the Kubernetes Auth Backend must be enabled and configured correctly. Also policies must exist to manage access of the role to vault secret paths

$ vault auth-enable kubernetes
Successfully enabled 'kubernetes' at 'kubernetes'!

vault write auth/kubernetes/role/DEMO \
    bound_service_account_names=DEMO-SA\
    bound_service_account_namespaces=DEMO-NS \
    policies=DEMO-POLICY \
    ttl=1h

path "secret/*" {
  capabilities = ["create"]
}

path "secret/foo" {
  capabilities = ["read"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

To configure Kubevaulter, a config file called config in yaml, toml or json format must exist in . or ./config folder of the containers. The location could be overwritten by specifying the environment variable KV_ the general config looks like this

logging:
  logLevel: "debug" #defaults to "info"
  logFormat: "json" #default to "text"
  
vault:
  endpointUrl: "http://localhost:8200"
  secretBackend: "demo-secret" # defaults to "secret" 
  role: "DEMO"
  jwtPath:  "/var/run/secrets/kubernetes.io/serviceaccount/token"  # defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token" 
  failOnEmptySecret: true
  authPath: auth/foo/login # defaults to auth/kubernetes/login
  caCert:

• kubevaulter-init an init container to render vault secrets into templates from specific path in the pod filesystem
• kubevaulter-recursive an init container to recursively traverse through a folder structure and rendereing templates with secret values from vault
• kubevaulter-generator creates random strings and stores them in specified vault paths
• kubevaulter-executor executing applications inside the container while providing secret values from vault as parameters to this application