This chart will install a mutating admission webhook, that injects an executable to containers in a deployment/statefulset which than can request secrets from Vault through environment variable definitions.
Before you install this chart you must create a namespace for it, this is due to the order in which the resources in the charts are applied (Helm collects all of the resources in a given Chart and it's dependencies, groups them by resource type, and then installs them in a predefined order (see here - Helm 2.10).
The MutatingWebhookConfiguration
gets created before the actual backend Pod which serves as the webhook itself, Kubernetes would like to mutate that pod as well, but it is not ready to mutate yet (infinite recursion in logic).
The namespace must have a label of name
with the namespace name as it's value.
set the target namespace name or skip for the default name: vswh
export WEBHOOK_NS=`<namepsace>`
WEBHOOK_NS=${WEBHOOK_NS:-vswh}
echo kubectl create namespace "${WEBHOOK_NS}"
echo kubectl label ns "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
$ helm repo add banzaicloud-stable http://kubernetes-charts.banzaicloud.com/branch/master
$ helm repo update
$ helm upgrade --namespace vswh --install vswh banzaicloud-stable/vault-secrets-webhook
The following tables lists configurable parameters of the vault-secrets-webhook chart and their default values.
Parameter | Description | Default |
---|---|---|
affinity | affinities to use | {} |
debug | debug logs for webhook | false |
image.pullPolicy | image pull policy | IfNotPresent |
image.repository | image repo that contains the admission server | banzaicloud/vault-secrets-webhook |
image.tag | image tag | latest |
nodeSelector | node selector to use | {} |
replicaCount | number of replicas | 1 |
resources | resources to request | {} |
service.externalPort | webhook service external port | 443 |
service.internalPort | webhook service external port | 443 |
service.name | webhook service name | vault-secrets-webhook |
service.type | webhook service type | ClusterIP |
tolerations | tolerations to add | [] |
rabc.enabled | use rbac | true |
rabc.psp.enabled | use pod security policy | false |