--- # ENV base apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: quarkus-demo-env labels: app.kubernetes.io/managed-by: "vault" spec: provider: vault parameters: roleName: 'quarkus-vault' vaultAddress: 'http://172.20.0.5:30820' # vaultSkipTLSVerify: 'true' vaultAuthMountPath: 'quarkus-cluster' objects: | - objectName: "greeting.message" secretPath: "kv/data/quarkus/vault-demo?version=1" secretKey: "greeting.message" secretObjects: - data: - key: greeting.message objectName: greeting.message secretName: quarkus type: Opaque labels: app.kubernetes.io/managed-by: "quarkus" --- # File based apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: quarkus-demo-file labels: app.kubernetes.io/managed-by: "vault" spec: provider: vault parameters: roleName: 'quarkus-vault' vaultAddress: 'http://172.20.0.5:30820' # vaultSkipTLSVerify: 'true' vaultAuthMountPath: 'quarkus-cluster' objects: | - objectName: "fullchain.crt" secretPath: "kv/data/quarkus/vault-demo?version=3" secretKey: "fullchain.crt" encoding: "base64" --- apiVersion: v1 kind: ServiceAccount metadata: name: quarkus-app labels: app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest app.kubernetes.io/managed-by: quarkus --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest app.kubernetes.io/managed-by: quarkus name: secret-csi-vault spec: ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest app.kubernetes.io/managed-by: quarkus name: secret-csi-vault spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest template: metadata: labels: app.kubernetes.io/managed-by: quarkus app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest spec: hostAliases: - ip: "172.25.150.200" hostnames: - "vault-demo.cch.com" serviceAccountName: quarkus-app containers: - env: - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: GREETING_MESSAGE valueFrom: secretKeyRef: name: quarkus key: greeting.message image: registry.hub.docker.com/cch0124/secret-csi-vault:latest imagePullPolicy: Always name: secret-csi-vault ports: - containerPort: 8080 name: http protocol: TCP volumeMounts: - name: config mountPath: "/home/jboss/config" readOnly: true - name: vault-secret-env mountPath: "/mnt/secrets-store" readOnly: true - name: vault-secret-file mountPath: "/opt/pki" readOnly: true volumes: - name: config configMap: name: secret-csi-vault items: - key: application.properties path: application.properties - name: vault-secret-env csi: driver: 'secrets-store.csi.k8s.io' readOnly: true volumeAttributes: secretProviderClass: 'quarkus-demo-env' - name: vault-secret-file csi: driver: 'secrets-store.csi.k8s.io' readOnly: true volumeAttributes: secretProviderClass: 'quarkus-demo-file' --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: labels: app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest app.kubernetes.io/managed-by: quarkus name: secret-csi-vault spec: ingressClassName: nginx rules: - http: paths: - backend: service: name: secret-csi-vault port: name: http path: / pathType: Prefix --- kind: ConfigMap apiVersion: v1 metadata: name: secret-csi-vault labels: app.kubernetes.io/name: secret-csi-vault app.kubernetes.io/version: latest app.kubernetes.io/managed-by: quarkus data: application.properties: | pki.certificate-chain-path=/opt/pki/fullchain.crt