Merge pull request #12 from patoarvizu/mount_secret

Add option to mount secret on Vault agent container

README.md

@@ -10,6 +10,7 @@
         - [Configuring the webhook](#configuring-the-webhook)
         - [Webhook command-line flags](#webhook-command-line-flags)
         - [ConfigMap](#configmap)
+        - [Auto-mount CA cert](#auto-mount-ca-cert)
         - [Init containers](#init-containers)
         - [Metrics](#metrics)
     - [For security nerds](#for-security-nerds)
@@ -102,6 +103,8 @@ Flag | Description | Default
 `-kubernetes-auth-path` | Path to Vault Kubernetes auth endpoint | `auth/kubernetes`
 `-vault-image-version` | Tag on the 'vault' Docker image to inject with the sidecar | `1.3.0`
 `-default-config-map-name` | The name of the ConfigMap to be used for the Vault agent configuration by default, unless overwritten by annotation | `vault-agent-config`
+`-mount-ca-cert-secret` | Indicate if the Secret indicated by the -ca-cert-secret-name flag should be mounted on the Vault agent container | `false`
+`-ca-cert-secret-name` | The name of the secret in the target namespace to mount and use as a CA cert | `vault-tls`
 `-cpu-request` | The amount of CPU units to request for the Vault agent sidecar") | `50m`
 `-cpu-limit` | The amount of CPU units to limit to on the Vault agent sidecar") | `100m`
 `-memory-request` | The amount of memory units to request for the Vault agent sidecar") | `128Mi`
@@ -119,6 +122,10 @@ Environment variable | Value
 `TARGET_VAULT_ADDRESS` | The value of the `-target-vault-address` parameter (or its default)
 `KUBERNETES_AUTH_PATH` | The value of the `-kubernetes-auth-path` parameter (or its default)
 
+### Auto-mount CA cert
+
+If enabled with the `-mount-ca-cert-secret` flag, the webhook can automatically create a volume from the secret indicated by the `-ca-cert-secret-name` flag. The volume will then be mounted at `/opt/vault/certs/` on the Vault agent container **only**, so the `vault-agent-config.hcl` file can use the [`ca_cert` field](https://www.vaultproject.io/docs/agent/index.html#inlinecode-ca_cert-string-optional-1) in the `vault` stanza, instead of skipping verification with `tls_skip_verify = true`.
+
 ### Init containers
 
 Alternatively, the webhook can inject the Vault agent as an init container instead of a sidecar, which is useful for short-lived workloads, like `Job`s and `CronJob`s. In that case, the init container should use a configuration that has `exit_after_auth = true` so the init container exists after authenticating and doesn't remain long-lived. Doing so, would cause the container to never exit past the init container phase. The config file should also contain at least one [file sink](https://www.vaultproject.io/docs/agent/autoauth/sinks/file.html). The webhook will also modify the containers to mount an additional volume on `/vault-agent` that can be used as a file sink.

cmd/webhook.go

@@ -26,6 +26,7 @@ const (
 	configMapOverrideAnnotation = "agent-config-map"
 	vaultAgentVolumeMountName   = "vault-agent"
 	vaultAgentVolumeMountPath   = "/vault-agent"
+	caCertMountPath             = "/opt/vault/certs"
 )
 
 type webhookCfg struct {
@@ -42,6 +43,8 @@ type webhookCfg struct {
 	cpuLimit             string
 	memoryRequest        string
 	memoryLimit          string
+	mountCACertSecret    bool
+	caCertSecretName     string
 }
 
 var cfg = &webhookCfg{}
@@ -128,6 +131,23 @@ func injectVaultSidecar(_ context.Context, obj metav1.Object) (bool, error) {
 		},
 	)
 
+	if cfg.mountCACertSecret {
+		defaultMode := int32(0644)
+		optional := bool(true)
+		pod.Spec.Volumes = append(pod.Spec.Volumes,
+			corev1.Volume{
+				Name: cfg.caCertSecretName,
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName:  cfg.caCertSecretName,
+						Optional:    &optional,
+						DefaultMode: &defaultMode,
+					},
+				},
+			},
+		)
+	}
+
 	if injectionMode == initContainerInjectionMode {
 		pod.Spec.Volumes = append(pod.Spec.Volumes,
 			corev1.Volume{
@@ -177,6 +197,21 @@ func injectVaultSidecar(_ context.Context, obj metav1.Object) (bool, error) {
 		},
 	})
 
+	caCertVolumeMount := corev1.VolumeMount{
+		Name:      cfg.caCertSecretName,
+		MountPath: caCertMountPath,
+		ReadOnly:  true,
+	}
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      "vault-config",
+			MountPath: "/etc/vault",
+		},
+		serviceAccountMount,
+	}
+	if cfg.mountCACertSecret {
+		volumeMounts = append(volumeMounts, caCertVolumeMount)
+	}
 	if injectionMode == sidecarInjectionMode {
 		pod.Spec.Containers = append(pod.Spec.Containers, corev1.Container{
 			Name:  "vault-agent",
@@ -185,13 +220,7 @@ func injectVaultSidecar(_ context.Context, obj metav1.Object) (bool, error) {
 				"agent",
 				"-config=/etc/vault/vault-agent-config.hcl",
 			},
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      "vault-config",
-					MountPath: "/etc/vault",
-				},
-				serviceAccountMount,
-			},
+			VolumeMounts: volumeMounts,
 			Resources: corev1.ResourceRequirements{
 				Limits: corev1.ResourceList{
 					corev1.ResourceCPU:    resource.MustParse(cfg.cpuLimit),
@@ -211,17 +240,10 @@ func injectVaultSidecar(_ context.Context, obj metav1.Object) (bool, error) {
 				"agent",
 				"-config=/etc/vault/vault-agent-config.hcl",
 			},
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      "vault-config",
-					MountPath: "/etc/vault",
-				},
-				{
-					Name:      vaultAgentVolumeMountName,
-					MountPath: vaultAgentVolumeMountPath,
-				},
-				serviceAccountMount,
-			},
+			VolumeMounts: append(volumeMounts, corev1.VolumeMount{
+				Name:      vaultAgentVolumeMountName,
+				MountPath: vaultAgentVolumeMountPath,
+			}),
 			Resources: corev1.ResourceRequirements{
 				Limits: corev1.ResourceList{
 					corev1.ResourceCPU:    resource.MustParse(cfg.cpuLimit),
@@ -255,6 +277,8 @@ func main() {
 	fl.StringVar(&cfg.kubernetesAuthPath, "kubernetes-auth-path", "auth/kubernetes", "Path to Vault Kubernetes auth endpoint")
 	fl.StringVar(&cfg.vaultImageVersion, "vault-image-version", "1.3.0", "Tag on the 'vault' Docker image to inject with the sidecar")
 	fl.StringVar(&cfg.defaultConfigMapName, "default-config-map-name", "vault-agent-config", "The name of the ConfigMap to be used for the Vault agent configuration by default, unless overwritten by annotation")
+	fl.BoolVar(&cfg.mountCACertSecret, "mount-ca-cert-secret", false, "Indicate if the Secret indicated by the -ca-cert-secret-name flag should be mounted on the Vault agent container")
+	fl.StringVar(&cfg.caCertSecretName, "ca-cert-secret-name", "vault-tls", "The name of the secret in the target namespace to mount and use as a CA cert")
 	fl.StringVar(&cfg.cpuRequest, "cpu-request", "50m", "The amount of CPU units to request for the Vault agent sidecar")
 	fl.StringVar(&cfg.cpuLimit, "cpu-limit", "100m", "The amount of CPU units to limit to on the Vault agent sidecar")
 	fl.StringVar(&cfg.memoryRequest, "memory-request", "128Mi", "The amount of memory units to request for the Vault agent sidecar")