Update target application's manifest
The final step in injecting secrets into pods is to modify the manifest of the target application to include the resources that retrieve secrets and write them to the pod filesystem.
Below is an example manifest for a deployment that retrieves the secrets at paths rootFolder/childFolder1/secretTitle and rootFolder/ from a Password Safe instance. The secret-retrieval initContainer runs prior to the main application starting, retrieves the target secrets, and writes their contents to files on the shared volume at /usr/src/app/secrets_files:
apiVersion: v1
kind: Pod
metadata:
name: passwordsafe-integration
spec:
volumes:
- name: secrets
emptyDir:
medium: Memory
initContainers:
- name: secrets-agent
image: secrets-agent:latest
volumeMounts:
- name: secrets
mountPath: /usr/src/app/secrets_files
ports:
- containerPort: 8000
name: secrets-agent
imagePullPolicy: Never
resources:
limits:
memory: "400Mi"
env:
- name: SECRETS_PATH
value: "/usr/src/app/secrets_files"
- name: BT_API_URL
value: "https://example.com:443/BeyondTrust/api/public/v3"
- name: BT_API_KEY
value: "<API-KEY>;runas=username;"
- name: SECRETS_LIST
value: "rootFolder/childFolder1/secretTitle"
- name: FOLDER_LIST
value: "rootFolder/childFolder2/"
- name: MANAGED_ACCOUNTS_LIST
value: "Server2016Standard/serveruser1"
- name: BT_VERIFY_CA
value: "True"
Below is an example manifest for a deployment that retrieves the secrets at paths rootFolder/childFolder1/secretTitle and rootFolder/ from a Password Safe instance. The secret-retrieval sidecar runs alongside the main application, retrieves the target secrets, and writes their contents to files on the shared volume at /usr/src/app/secrets_files:
apiVersion: v1
kind: Pod
metadata:
name: passwordsafe-integration
spec:
volumes:
- name: secrets
emptyDir:
medium: Memory
containers:
- name: secrets-agent-sidecar
image: secrets-agent:latest
volumeMounts:
- name: secrets
mountPath: /usr/src/app/secrets_files
ports:
- containerPort: 8000
name: secrets-agent
imagePullPolicy: Never
resources:
limits:
memory: "400Mi"
env:
- name: SECRETS_PATH
value: "/usr/src/app/secrets_files"
- name: BT_API_URL
value: "https://example.com:443/BeyondTrust/api/public/v3"
- name: BT_API_KEY
value: "<API-KEY>;runas=username;"
- name: SECRETS_LIST
value: "rootFolder/childFolder1/secretTitle"
- name: FOLDER_LIST
value: "rootFolder/childFolder2/"
- name: MANAGED_ACCOUNTS_LIST
value: "Server2016Standard/serveruser1"
- name: POLLING_WAIT_BETWEEN_REQUESTS_MINUTES
value: "20"
- name: BT_VERIFY_CA
value: "True"
After saving the above pod manifest to a .yaml file named secret-retrieval-example.yaml, apply it to the cluster using kubectl apply -f secret-retrieval-example.yaml. This creates the pod on the cluster.
Observe the initContainer image pulled using kubectl. Verify that the target secret contents are injected into the directory at /usr/src/app/secrets_files using kubectl exec -it <pod-name> sh to start an interactive shell session inside the running pod. From there, navigate to the /usr/src/app/secrets_files directory and inspect the contents of the files in the secrets_files folder.