try vault kvv2 secret engine
This commit is contained in:
13
chart/templates/vaultauth.yaml
Normal file
13
chart/templates/vaultauth.yaml
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: static-auth
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: kubernetes
|
||||||
|
kubernetes:
|
||||||
|
role: webapp
|
||||||
|
serviceAccount: {{ include "webapp.serviceAccountName" . }}
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
24
chart/templates/vaultsecret.yaml
Normal file
24
chart/templates/vaultsecret.yaml
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: vault-kv-app
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
type: kv-v2
|
||||||
|
|
||||||
|
# mount path
|
||||||
|
mount: kvv2
|
||||||
|
|
||||||
|
# path of the secret
|
||||||
|
path: webapp/config
|
||||||
|
|
||||||
|
# dest k8s secret
|
||||||
|
destination:
|
||||||
|
name: secretkv
|
||||||
|
create: true
|
||||||
|
|
||||||
|
# static secret refresh interval
|
||||||
|
refreshAfter: 30s
|
||||||
|
|
||||||
|
# Name of the CRD to authenticate to Vault
|
||||||
|
vaultAuthRef: static-auth
|
||||||
@@ -16,7 +16,7 @@ fullnameOverride: ""
|
|||||||
|
|
||||||
serviceAccount:
|
serviceAccount:
|
||||||
# Specifies whether a service account should be created
|
# Specifies whether a service account should be created
|
||||||
create: false
|
create: true
|
||||||
# Automatically mount a ServiceAccount's API credentials?
|
# Automatically mount a ServiceAccount's API credentials?
|
||||||
automount: true
|
automount: true
|
||||||
# Annotations to add to the service account
|
# Annotations to add to the service account
|
||||||
|
|||||||
5
main.go
5
main.go
@@ -153,6 +153,10 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
|
|||||||
authorityHeader := r.Header.Get(":authority")
|
authorityHeader := r.Header.Get(":authority")
|
||||||
if oauthAllowedHttp2Authority != "" && authorityHeader != oauthAllowedHttp2Authority {
|
if oauthAllowedHttp2Authority != "" && authorityHeader != oauthAllowedHttp2Authority {
|
||||||
fmt.Println(":authority: "+authorityHeader)
|
fmt.Println(":authority: "+authorityHeader)
|
||||||
|
fmt.Println("received headers")
|
||||||
|
for key, value := range r.Header {
|
||||||
|
fmt.Printf("%s='%s'\n", key, value)
|
||||||
|
}
|
||||||
http.Error(w, "Access denied: invalid referer or origin", http.StatusForbidden)
|
http.Error(w, "Access denied: invalid referer or origin", http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -409,7 +413,6 @@ func main() {
|
|||||||
// Start the HTTP server
|
// Start the HTTP server
|
||||||
port := ":8080"
|
port := ":8080"
|
||||||
log.Printf("Server starting on port %s\n", port)
|
log.Printf("Server starting on port %s\n", port)
|
||||||
fmt.Println("new version indeed")
|
|
||||||
err = http.ListenAndServe(port, nil)
|
err = http.ListenAndServe(port, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("Server failed to start: %v", err)
|
log.Fatalf("Server failed to start: %v", err)
|
||||||
|
|||||||
Reference in New Issue
Block a user