SecretHub Kubernetes Mutating Webhook

This mutating webhook allows you to use secret references (secrethub://path/to/secret) in any containers spec, without including SecretHub in the image itself:

apiVersion: v1
kind: Pod
  name: my-app
  annotations: my-app
    - name: my-app
      image: my-image
        - name: STRIPE_SECRET_KEY
          value: secrethub://acme/app/prod/stripe/secret_key
        - name: PGPASSWORD
          value: secrethub://acme/app/prod/pg/password

You can annotate your pod spec with which expects a comma separated list of the names of the containers to mutate.

When the annotation is found:

  • A volume which will hold the SecretHub CLI is created.
  • An init container which copies the SecretHub CLI into the volume is created.

And for every container that is listed in the annotation:

  • The volume is mounted to the container.
  • The command is prefixed with <path/to/volume>/secrethub run --.

The version of the SecretHub CLI Docker image to be used can optionally be configured with, e.g. 0.39.0. If it is not set, the latest version is used. A list of available versions can be found here.


This project is based on and heavily inspired by Berglas’s Kubernetes Mutating Webhook.

Deploy the Webhook

The simplest method to deploy the webhook is in a serverless function. We’ve outlined the steps to take to deploy the webhook to a Google Cloud Function. We’re also working on a way to deploy the webhook in the Kubernetes cluster itself.