apiVersion: apps/v1beta1 kind: Deployment metadata: name: vault-dynamic-secrets-rails labels: app: vault-dynamic-secrets-rails spec: replicas: 3 template: metadata: labels: app: vault-dynamic-secrets-rails spec: serviceAccountName: postgres-vault initContainers: - name: vault-init image: everpeace/curl-jq command: - "sh" - "-c" - > KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token); curl --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "postgres"}' http://errant-mandrill-vault:8200/v1/auth/kubernetes/login | jq -j '.auth.client_token' > /etc/vault/token; X_VAULT_TOKEN=$(cat /etc/vault/token); curl --header "X-Vault-Token: $X_VAULT_TOKEN" http://errant-mandrill-vault:8200/v1/database/creds/postgres-role > /etc/app/creds.json; volumeMounts: - name: app-creds mountPath: /etc/app - name: vault-token mountPath: /etc/vault containers: - name: rails image: gmaliar/vault-dynamic-secrets-rails:0.0.1 imagePullPolicy: Always ports: - containerPort: 3000 resources: limits: memory: "50Mi" cpu: "100m" volumeMounts: - name: app-creds mountPath: /etc/app - name: vault-manager image: everpeace/curl-jq command: - "sh" - "-c" - > X_VAULT_TOKEN=$(cat /etc/vault/token); VAULT_LEASE_ID=$(cat /etc/app/creds.json | jq -j '.lease_id'); while true; do curl --request PUT --header "X-Vault-Token: $X_VAULT_TOKEN" --data '{"lease_id": "'"$VAULT_LEASE_ID"'", "increment": 3600}' http://errant-mandrill-vault:8200/v1/sys/leases/renew; sleep 3600; done lifecycle: preStop: exec: command: - "sh" - "-c" - > X_VAULT_TOKEN=$(cat /etc/vault/token); VAULT_LEASE_ID=$(cat /etc/app/creds.json | jq -j '.lease_id'); curl --request PUT --header "X-Vault-Token: $X_VAULT_TOKEN" --data '{"lease_id": "'"$VAULT_LEASE_ID"'"}' http://errant-mandrill-vault:8200/v1/sys/leases/revoke; volumeMounts: - name: app-creds mountPath: /etc/app - name: vault-token mountPath: /etc/vault volumes: - name: app-creds emptyDir: {} - name: vault-token emptyDir: {}