SecretHub Kubernetes Mutating Webhook
This mutating webhook allows you to use secret references (
secrethub://path/to/secret) in any containers spec, without including SecretHub in the image itself:
apiVersion: v1 kind: Pod metadata: name: my-app annotations: secrethub.io/mutate: my-app spec: containers: - name: my-app image: my-image env: - name: STRIPE_SECRET_KEY value: secrethub://acme/app/prod/stripe/secret_key - name: PGPASSWORD value: secrethub://acme/app/prod/pg/password
You can annotate your pod spec with
secrethub.io/mutate which expects a comma separated list of the names of the containers to mutate.
When the annotation is found:
- A volume which will hold the SecretHub CLI is created.
- An init container which copies the SecretHub CLI into the volume is created.
And for every container that is listed in the
- The volume is mounted to the container.
- The command is prefixed with
<path/to/volume>/secrethub run --.
The version of the SecretHub CLI Docker image to be used can optionally be configured with
secrethub.io/version: 0.39.0. If it is not set, the
latest version is used. A list of available versions can be found here.
This project is based on and heavily inspired by Berglas’s Kubernetes Mutating Webhook.
Deploy the Webhook
The simplest method to deploy the webhook is in a serverless function. We’ve outlined the steps to take to deploy the webhook to a Google Cloud Function. We’re also working on a way to deploy the webhook in the Kubernetes cluster itself.