Update Target Application Manifest

Update target application's manifest

The final step in injecting secrets into pods is to modify the manifest of the target application to include the resources that retrieve secrets and write them to the pod filesystem.

Below is an example manifest for a deployment that retrieves the secrets at paths rootFolder/childFolder1/secretTitle and rootFolder/ from a Password Safe instance. The secret-retrieval initContainer runs prior to the main application starting, retrieves the target secrets, and writes their contents to files on the shared volume at /usr/src/app/secrets_files:

apiVersion: v1
kind: Pod
metadata:
  name: passwordsafe-integration
spec:
  volumes:
    - name: secrets
      emptyDir:
        medium: Memory
  initContainers:
   - name: secrets-agent
     image: secrets-agent:latest
     volumeMounts:
       - name: secrets
         mountPath: /usr/src/app/secrets_files
     ports:
       - containerPort: 8000
         name: secrets-agent
     imagePullPolicy: Never
     resources:
       limits:
         memory: "400Mi"
     env:
     - name: SECRETS_PATH
       value: "/usr/src/app/secrets_files"
     - name: BT_API_URL
       value: "https://example.com:443/BeyondTrust/api/public/v3"
     - name: BT_API_KEY
       value: "<API-KEY>;runas=username;"
     - name: SECRETS_LIST
       value: "rootFolder/childFolder1/secretTitle"
     - name: FOLDER_LIST
	value: "rootFolder/childFolder2/"     
     - name: MANAGED_ACCOUNTS_LIST
       value: "Server2016Standard/serveruser1"
     - name: BT_VERIFY_CA
       value: "True"

Below is an example manifest for a deployment that retrieves the secrets at paths rootFolder/childFolder1/secretTitle and rootFolder/ from a Password Safe instance. The secret-retrieval sidecar runs alongside the main application, retrieves the target secrets, and writes their contents to files on the shared volume at /usr/src/app/secrets_files:

apiVersion: v1
kind: Pod
metadata:
  name: passwordsafe-integration
spec:
  volumes:
    - name: secrets
      emptyDir:
        medium: Memory
  containers:
  - name: secrets-agent-sidecar
    image: secrets-agent:latest
    volumeMounts:
      - name: secrets
        mountPath: /usr/src/app/secrets_files
    ports:
      - containerPort: 8000
        name: secrets-agent
    imagePullPolicy: Never
    resources:
      limits:
        memory: "400Mi"
    env:
    - name: SECRETS_PATH
      value: "/usr/src/app/secrets_files"
    - name: BT_API_URL
      value: "https://example.com:443/BeyondTrust/api/public/v3"
    - name: BT_API_KEY
      value: "<API-KEY>;runas=username;"
    - name: SECRETS_LIST
      value: "rootFolder/childFolder1/secretTitle"
    - name: FOLDER_LIST
      value: "rootFolder/childFolder2/"
    - name: MANAGED_ACCOUNTS_LIST
      value: "Server2016Standard/serveruser1"
    - name: POLLING_WAIT_BETWEEN_REQUESTS_MINUTES
      value: "20"
    - name: BT_VERIFY_CA
      value: "True"

After saving the above pod manifest to a .yaml file named secret-retrieval-example.yaml, apply it to the cluster using kubectl apply -f secret-retrieval-example.yaml. This creates the pod on the cluster.

Observe the initContainer image pulled using kubectl. Verify that the target secret contents are injected into the directory at /usr/src/app/secrets_files using kubectl exec -it <pod-name> sh to start an interactive shell session inside the running pod. From there, navigate to the /usr/src/app/secrets_files directory and inspect the contents of the files in the secrets_files folder.