A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

Overview

Github CI GoReportCard GitHub go.mod Go version (subdirectory of monorepo) made-with-Go Docker License

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from secret manager to pod, secret, and configmap. The motive of creating this project is to provide a dynamic secret injection to containers/pods running inside Kubernetes from different secret managers for enhanced security.

Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/

The secret managers which are currently supported:-

There are some secret managers which are planned to be implemented in future.

Supported Features

  • Authentication to Hashicorp vault using Kubernetes service-account
  • RBAC implementation of vault using different policies of vault and association of policy with service-account
  • Inject secret directly to pods/containers running inside Kubernetes
  • Inject secret directly to pods/containers from AWS Secret Manager
  • Authentication with AWS Secret Manager with access key and iam role
  • Fetch secrets from Azure Key Vault and inject them in pods/containers
  • Pod AD identity and Service principal based authentication in Azure
  • Authentication with AWS Secret Manager with access key and iam role
  • Support regex to inject all secrets from a certain path of Vault
  • Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable

Architecture

Installation

k8s-vault-webhook can easily get installed by using Helm. We just simple need to add the repository of our helm charts.

$ helm repo add ot-helm https://github.com/OT-CONTAINER-KIT/helm-charts

$ helm upgrade k8s-vault-webhook ot-helm/k8s-vault-webhook --namespace <namespace> --install

If you want to pass your custom values file while installing the chart, you can find the values file here

Quickstart

For setting up a quickstart environment for demo, you can start quickstart from here

Development

If you like to contribute to this project, you are more than welcome. Please see our DEVELOPMENT.md for details.

Release History

Please see our CHANGELOG.md for details.

Contact

If you have any suggestion or query. Contact us at

[email protected]

Issues
  • Question: where is the code that talks with Hashicorp Vault?

    Question: where is the code that talks with Hashicorp Vault?

    I was glancing over the code, but couldn't find the part when using Hashicorp Vault, where you replace the pod annotations with the actual secrets? Also the example in the docs show the annotations rather than the pass - https://ot-container-kit.github.io/k8s-vault-webhook/guide/hashicorp-vault-example.html

    opened by canidam 2
  • Using the wrong logo in graphic

    Using the wrong logo in graphic

    Your logo here is for Vue.js, not Vault

    https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/blob/master/static/k8s-vault-webhook-arc.png

    https://vuejs.org/

    enhancement 
    opened by blairdrummond 0
Releases(v4.0)
Owner
Opstree Container Kit
I am placeholder for all container and its orchestration related things
Opstree Container Kit
Kubernetes Operator to sync secrets between different secret backends and Kubernetes

Vals-Operator Here at Digitalis we love vals, it's a tool we use daily to keep secrets stored securely. We also use secrets-manager on the Kubernetes

digitalis.io 57 Aug 11, 2022
The k8s-generic-webhook is a library to simplify the implementation of webhooks for arbitrary customer resources (CR) in the operator-sdk or controller-runtime.

k8s-generic-webhook The k8s-generic-webhook is a library to simplify the implementation of webhooks for arbitrary customer resources (CR) in the opera

Norwin Schnyder 6 Jul 12, 2022
Webhook-server - Webhook Server for KubeDB resources

webhook-server Webhook Server for KubeDB resources Installation To install KubeD

Kubernetes Database 1 Feb 22, 2022
Simplify Kubernetes Secrets Management with Dockhand Secrets Operator

dockhand-secrets-operator Secrets management with GitOps can be challenging in Kubernetes environments. Often engineers resort to manual secret creati

BoxBoat 14 Mar 15, 2022
Copy your HashiCorp Vault secrets to a file

Vault Backup ⚠️ Check the oficial way to backup your HashiCorp Vault. Create a backup file of all HashiCorp Vault kv2 secrets. ./vault-backup -help

Leonardo Comelli 4 Mar 30, 2022
VaultOperator provides a CRD to interact securely and indirectly with secrets stored in Hashicorp Vault.

vault-operator The vault-operator provides several CRDs to interact securely and indirectly with secrets. Details Currently only stage 1 is implemente

finleap connect 3 Mar 12, 2022
This repo contains example on how to consume secrets from Google Secret Manager from GKE

GKE Secret Manager. Environment setup This repo contains examples of how to consume secrets from Google Secret Manager (GSM) from Google Kubernetes En

Abdel SGHIOUAR 10 Aug 2, 2022
A helm v3 plugin to adopt existing k8s resources into a new generated helm chart

helm-adopt Overview helm-adopt is a helm plugin to adopt existing k8s resources into a new generated helm chart, the idea behind the plugin was inspir

Hamza ZOUHAIR 25 Jun 24, 2022
K8s-dotenv - Kubernetes Secrets and Configmaps to dot env file

k8s-dotenv A commandline tool to fetch, merge and convert secrets and config map

Sami Khan 3 Apr 22, 2022
K8s-ingress-health-bot - A K8s Ingress Health Bot is a lightweight application to check the health of the ingress endpoints for a given kubernetes namespace.

k8s-ingress-health-bot A K8s Ingress Health Bot is a lightweight application to check the health of qualified ingress endpoints for a given kubernetes

Aaron Tam 0 Jan 2, 2022
Kubernetes webhook development (validating admission webhook) tutorial using kubewebhook

pod-exec-guard-kubewebhook-tutorial Introduction This is a tutorial that shows how to develop a Kubernetes admission webhook. To explain this, the tut

Xabier Larrakoetxea Gallego 9 Jul 25, 2022
A kubernetes cni, connecting containers to neutron virtual networks.

neutron-cni A kubernetes cni, connecting containers to neutron virtual networks. Network Topology Architecture Quick Start Build make build-dev-im

null 8 May 5, 2022
Write controller-runtime based k8s controllers that read/write to git, not k8s

Git Backed Controller The basic idea is to write a k8s controller that runs against git and not k8s apiserver. So the controller is reading and writin

Darren Shepherd 50 Dec 10, 2021
K8s-cinder-csi-plugin - K8s Pod Use Openstack Cinder Volume

k8s-cinder-csi-plugin K8s Pod Use Openstack Cinder Volume openstack volume list

douyali 0 Jul 18, 2022
K8s-go-structs - All k8s API Go structs

k8s-api go types Why? Its nice to have it all in a single package. . |-- pkg |

 Aatman 3 Jul 17, 2022
webhook is a lightweight incoming webhook server to run shell commands

What is webhook? webhook is a lightweight configurable tool written in Go, that allows you to easily create HTTP endpoints (hooks) on your server, whi

Adnan Hajdarević 8k Aug 10, 2022
Tcpdump-webhook - Toy Sidecar Injection with Mutating Webhook

tcpdump-webhook A simple demonstration of Kubernetes Mutating Webhooks. Injects

Alp Kahvecioglu 2 Feb 8, 2022
A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s.

A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s. OAM operator scaffolds all of the code required to create resources across various cloud provides, which includes both K8s and Non-K8s resources

Pavan Kumar 2 Nov 30, 2021
Deploy, manage, and secure applications and resources across multiple clusters using CloudFormation and Shipa

CloudFormation provider Deploy, secure, and manage applications across multiple clusters using CloudFormation and Shipa. Development environment setup

Shipa 1 Feb 12, 2022