feat: vault-env -> secret-init, vault-secrets-webhook -> secrets-webh…

…ook (#388) * feat(go code) vault-env -> secret-init Signed-off-by: Bence Csati <[email protected]> * run: make generate Signed-off-by: Bence Csati <[email protected]> * feat(crs) vault-env -> secret-init, vault-secrets-webhook -> secrets-webhook Signed-off-by: Bence Csati <[email protected]> --------- Signed-off-by: Bence Csati <[email protected]>
bank-vaults · Mar 20, 2024 · e37243b · e37243b
1 parent b30fd4e
commit e37243b
Show file tree

Hide file tree

Showing 38 changed files with 1,196 additions and 160 deletions.
diff --git a/deploy/charts/vault-operator/crds/crd.yaml b/deploy/charts/vault-operator/crds/crd.yaml
diff --git a/deploy/crd/bases/vault.banzaicloud.com_vaults.yaml b/deploy/crd/bases/vault.banzaicloud.com_vaults.yaml
diff --git a/deploy/dev/microk8s/dev.yaml b/deploy/dev/microk8s/dev.yaml
@@ -97,7 +97,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["vault-secrets-webhook", "vault", "default"]
+            bound_service_account_names: ["secrets-webhook", "vault", "default"]
             bound_service_account_namespaces: ["vault-infra", "app"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -129,7 +129,7 @@ spec:
               generate_lease: true
               ttl: 1m
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
     - name: VAULT_STORAGE_FILE

diff --git a/deploy/dev/multi-dc/aws/cr-primary.yaml b/deploy/dev/multi-dc/aws/cr-primary.yaml
@@ -81,7 +81,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -135,7 +135,7 @@ spec:
             MYSQL_ROOT_PASSWORD: s3cr3t
             MYSQL_PASSWORD: 3xtr3ms3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: info
 

diff --git a/deploy/dev/multi-dc/aws/cr-secondary.yaml b/deploy/dev/multi-dc/aws/cr-secondary.yaml
@@ -75,7 +75,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -87,7 +87,7 @@ spec:
         options:
           version: 2
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: info
 

diff --git a/deploy/dev/multi-dc/aws/cr-tertiary.yaml b/deploy/dev/multi-dc/aws/cr-tertiary.yaml
@@ -72,7 +72,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -84,7 +84,7 @@ spec:
         options:
           version: 2
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: info
 

diff --git a/deploy/dev/multi-dc/test/cr-primary.yaml b/deploy/dev/multi-dc/test/cr-primary.yaml
@@ -74,7 +74,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -128,6 +128,6 @@ spec:
             MYSQL_ROOT_PASSWORD: s3cr3t
             MYSQL_PASSWORD: 3xtr3ms3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: info
diff --git a/deploy/dev/multi-dc/test/cr-secondary.yaml b/deploy/dev/multi-dc/test/cr-secondary.yaml
@@ -68,7 +68,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -80,7 +80,7 @@ spec:
         options:
           version: 2
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: info
 

diff --git a/deploy/dev/multi-dc/test/cr-tertiary.yaml b/deploy/dev/multi-dc/test/cr-tertiary.yaml
@@ -68,7 +68,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -80,7 +80,7 @@ spec:
         options:
           version: 2
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: info
 

diff --git a/deploy/examples/cr-aws-server-side-encryption.yaml b/deploy/examples/cr-aws-server-side-encryption.yaml
@@ -52,7 +52,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["vault-secrets-webhook", "vault", "default"]
+            bound_service_account_names: ["secrets-webhook", "vault", "default"]
             bound_service_account_namespaces: ["vault-infra", "app"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -106,7 +106,7 @@ spec:
       # s3SSE: AES256
 
   # Inject environment variables to all the Vault pods
-  vaultEnvsConfig:
+  secretInitsConfig:
   - name: SOME_ENV_VAR_NAME
     value: SOME_ENV_VAR_VALUE
 

diff --git a/deploy/examples/cr-cert-manager.yaml b/deploy/examples/cr-cert-manager.yaml
@@ -109,7 +109,7 @@ spec:
             allowed_uri_sans: ["spiffe://*"]
             ttl: 144h
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
 

diff --git a/deploy/examples/cr-containers.yaml b/deploy/examples/cr-containers.yaml
@@ -195,7 +195,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_names: ["default", "secrets-webhook", "vault"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -249,7 +249,7 @@ spec:
             MYSQL_ROOT_PASSWORD: s3cr3t
             MYSQL_PASSWORD: 3xtr3ms3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
     - name: VAULT_STORAGE_FILE

diff --git a/deploy/examples/cr-customports.yaml b/deploy/examples/cr-customports.yaml
@@ -128,7 +128,7 @@ spec:
             AWS_ACCESS_KEY_ID: secretId
             AWS_SECRET_ACCESS_KEY: s3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
 ---

diff --git a/deploy/examples/cr-disabled-root-token-storage.yaml b/deploy/examples/cr-disabled-root-token-storage.yaml
@@ -159,7 +159,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_names: ["default", "secrets-webhook", "vault"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -213,7 +213,7 @@ spec:
             MYSQL_ROOT_PASSWORD: s3cr3t
             MYSQL_PASSWORD: 3xtr3ms3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
     - name: VAULT_STORAGE_FILE

diff --git a/deploy/examples/cr-hsm-nitrokey.yaml b/deploy/examples/cr-hsm-nitrokey.yaml
@@ -126,7 +126,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_names: ["default", "secrets-webhook", "vault"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets"]
             ttl: 1h
@@ -138,6 +138,6 @@ spec:
         options:
           version: 2
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
diff --git a/deploy/examples/cr-hsm-softhsm.yaml b/deploy/examples/cr-hsm-softhsm.yaml
@@ -119,7 +119,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_names: ["default", "secrets-webhook", "vault"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -173,6 +173,6 @@ spec:
             MYSQL_ROOT_PASSWORD: s3cr3t
             MYSQL_PASSWORD: 3xtr3ms3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
diff --git a/deploy/examples/cr-init-containers.yaml b/deploy/examples/cr-init-containers.yaml
@@ -156,7 +156,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_names: ["default", "secrets-webhook", "vault"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -190,7 +190,7 @@ spec:
             MYSQL_ROOT_PASSWORD: s3cr3t
             MYSQL_PASSWORD: 3xtr3ms3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
     - name: VAULT_STORAGE_FILE

diff --git a/deploy/examples/cr-istio.yaml b/deploy/examples/cr-istio.yaml
@@ -131,7 +131,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["vault-secrets-webhook", "vault", "default"]
+            bound_service_account_names: ["secrets-webhook", "vault", "default"]
             bound_service_account_namespaces: ["vault-infra", "app"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -185,7 +185,7 @@ spec:
             MYSQL_ROOT_PASSWORD: s3cr3t
             MYSQL_PASSWORD: 3xtr3ms3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
     - name: VAULT_STORAGE_FILE

diff --git a/deploy/examples/cr-k8s-startup-secret.yaml b/deploy/examples/cr-k8s-startup-secret.yaml
@@ -135,7 +135,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_names: ["default", "secrets-webhook", "vault"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -202,7 +202,7 @@ spec:
       #       - name: external-cert
       #         key: ca.key
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
     - name: VAULT_STORAGE_FILE

diff --git a/deploy/examples/cr-mysql-ha.yaml b/deploy/examples/cr-mysql-ha.yaml
@@ -14,7 +14,7 @@ spec:
   # NOTE: you will need a MySQL instance, grab one with:
   # helm upgrade --install mysql stable/mysql --set mysqlRootPassword=your-root-password --set mysqlDatabase=vault --set mysqlUser=vault --set mysqlPassword=secret --set 'initializationFiles.app-db\.sql=CREATE DATABASE IF NOT EXISTS app;'
 
-  # This example is best used together with test/deploy/test-dynamic-env-vars.yaml to demonstrate the usage of dynamic credential renewal in vault-env daemon mode.
+  # This example is best used together with test/deploy/test-dynamic-env-vars.yaml to demonstrate the usage of dynamic credential renewal in secret-init daemon mode.
 
   # A YAML representation of a final vault config file, this config represents
   # a HA config with MySQL.
@@ -73,7 +73,7 @@ spec:
               default_ttl: "2m"
               max_ttl: "10m"
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: MYSQL_VAULT_PASSWORD
       valueFrom:
         secretKeyRef:

diff --git a/deploy/examples/cr-oidc.yaml b/deploy/examples/cr-oidc.yaml
@@ -89,7 +89,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -137,7 +137,7 @@ spec:
           data:
             MYSQL_ROOT_PASSWORD: s3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
 ---

diff --git a/deploy/examples/cr-priority.yaml b/deploy/examples/cr-priority.yaml
@@ -137,7 +137,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -170,7 +170,7 @@ spec:
           data:
             MYSQL_ROOT_PASSWORD: s3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
 ---

diff --git a/deploy/examples/cr-raft-1.yaml b/deploy/examples/cr-raft-1.yaml
@@ -167,7 +167,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "webhook"]
             policies: allow_secrets
             ttl: 1h
@@ -200,6 +200,6 @@ spec:
           data:
             MYSQL_ROOT_PASSWORD: s3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
diff --git a/deploy/examples/cr-raft-ha-storage.yaml b/deploy/examples/cr-raft-ha-storage.yaml
@@ -58,7 +58,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_names: ["default", "secrets-webhook", "vault"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: ["allow_secrets", "allow_pki"]
             ttl: 1h
@@ -70,7 +70,7 @@ spec:
         options:
           version: 2
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug
 

diff --git a/deploy/examples/cr-raft.yaml b/deploy/examples/cr-raft.yaml
@@ -173,7 +173,7 @@ spec:
         roles:
           # Allow every pod in the default namespace to use the secret kv store
           - name: default
-            bound_service_account_names: ["default", "vault-secrets-webhook"]
+            bound_service_account_names: ["default", "secrets-webhook"]
             bound_service_account_namespaces: ["default", "vswh"]
             policies: allow_secrets
             ttl: 1h
@@ -206,6 +206,6 @@ spec:
           data:
             MYSQL_ROOT_PASSWORD: s3cr3t
 
-  vaultEnvsConfig:
+  secretInitsConfig:
     - name: VAULT_LOG_LEVEL
       value: debug