+4

apps/test/example/production.yaml

reviewed

··· 10 10 image: 11 11 repository: zot.zot.svc.cluster.local/example-service 12 12 tag: 828c31f942e8913ab2af53a2841c180586c5b7e1 13 13 + env: 14 14 + # TODO this secret was created manually in vault 15 15 + # vault kv put secret/test/example MANUALLY_CREATED_EXAMPLE_SECRET=s3cr3t 16 16 + EXAMPLE_SECRET: vault:secret/data/test/example#MANUALLY_CREATED_EXAMPLE_SECRET 13 17 service: 14 18 main: 15 19 controller: main

-25

infra/_modules/bootstrap/vault-test.yaml

reviewed

··· 1 1 - # TODO vault kv put secret/demosecret/aws AWS_SECRET_ACCESS_KEY=s3cr3t 2 2 - # TODO kubectl apply -f test-vault.yaml 3 3 - apiVersion: apps/v1 4 4 - kind: Deployment 5 5 - metadata: 6 6 - name: vault-test 7 7 - namespace: default 8 8 - spec: 9 9 - replicas: 1 10 10 - selector: 11 11 - matchLabels: 12 12 - app.kubernetes.io/name: vault 13 13 - template: 14 14 - metadata: 15 15 - labels: 16 16 - app.kubernetes.io/name: vault 17 17 - spec: 18 18 - serviceAccountName: default 19 19 - containers: 20 20 - - name: alpine 21 21 - image: alpine 22 22 - command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"] 23 23 - env: 24 24 - - name: AWS_SECRET_ACCESS_KEY 25 25 - value: vault:secret/data/demosecret/aws#AWS_SECRET_ACCESS_KEY

+2 -2

infra/_modules/bootstrap/vault.tf

reviewed

··· 135 135 { 136 136 # TODO optimize this 137 137 name = "default" 138 138 - bound_service_account_names = ["default"] 139 139 - bound_service_account_namespaces = ["default"] 138 138 + bound_service_account_names = ["*"] 139 139 + bound_service_account_namespaces = ["*"] 140 140 policies = ["allow_secrets"] 141 141 ttl = "1h" 142 142 }