Skip to content

Commit

Permalink
Documentation bits.
Browse files Browse the repository at this point in the history
  • Loading branch information
Otávio Fernandes committed Apr 7, 2019
1 parent 73cfeb6 commit 8d58787
Showing 1 changed file with 18 additions and 6 deletions.
24 changes: 18 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ Is a manifest based application to upload and download secrets from
the manifest to upload secrets, and later on use it as configuration input for downloading secrets
on applications' behalf.

Once a set of secrets is uploaded to Vault, you can `copy` them over to Kubernetes, and keep secrets
in sync by running `copy` command at later times.

You can employ `vault-handler` as a Kubernetes
[init-container](https://kubernetes.io/docs/concepts/workloads/pods/init-containers) in order to
download secrets, and have it as a command-line application to upload.
Expand Down Expand Up @@ -101,14 +104,16 @@ vault-handler download --output-dir /tmp --dry-run /path/to/manifest.yaml
The following snippet is a manifest example.

``` yaml
---
secrets:
name:
path: secret/data/dir1/dir2
ingress:
path: secret/data/kube/tls
type: kubernetes.io/tls
data:
- name: foo
extension: txt
zip: false
nameAsSubPath: false
- name: tls.crt
extension: secret
- name: tls.key
extension: secret
```
Description of the options used in manifest:
Expand All @@ -117,10 +122,13 @@ Description of the options used in manifest:
- `name`: arbitrary group "name". This group-name is also employed to name final files;
- `name.path`: path in Vault. When using V2 key-value store, you may need to inform
`/secret/data`, while in V1 API it would be directly `/secret`;
- `name.type`: Kubernetes secret type, used by `copy` sub-command;
- `name.data.name`: file name;
- `name.data.extension`: file extension;
- `name.data.zip`: file contents is GZIP, needs to be compressed/decompressed;
- `name.data.nameAsSubPath`: employ name as final part of the Vault path `name.path`;
- `name.data.key`: employ a alternative key name on Vault;


### File Naming Convention

Expand Down Expand Up @@ -148,6 +156,10 @@ Before running tests, you will need to spin up Vault in the background, and appl
configuration to enable [AppRole](https://www.vaultproject.io/docs/auth/approle.html) authentication,
and [secrets K/V store](https://www.vaultproject.io/docs/secrets/kv/index.html).

Additionally you need a Kubernetes cluster available, please consider
[minikube project](https://kubernetes.io/docs/setup/minikube/). During [CI](./.travis.yml),
[KinD](https://github.com/kubernetes-sigs/kind) project is used.

``` bash
docker-compose -d # run vault in development mode
.ci/bootstrap-vault.sh # bootstrap instance
Expand Down

0 comments on commit 8d58787

Please sign in to comment.