how to use berglas with kubernetes daemonset?

GoogleCloudPlatform / berglas

A tool for managing secrets on Google Cloud

https://cloud.google.com/secret-manager

Apache License 2.0

1.24k stars 96 forks source link

how to use berglas with kubernetes daemonset? #37

Closed sonots closed 5 years ago

sonots commented 5 years ago

I did setup my kubernetes cluster following https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes. It seems working fine for usual pods. But, berglas does not work well for daemonsets becasuse of either MutatingWebhookConfiguration or because sidecar does not start for daemonset.

Could you tell me how to use berglas with daemonset? I want to use datadog-agent https://docs.datadoghq.com/agent/kubernetes/daemonset_setup/?tab=k8sfile#create-manifest and want to use berglas for DD_API_KEY.

sethvargo commented 5 years ago

It should work, but you may need to change this to include daemonsets.

sonots commented 5 years ago

I tried

  - operations: ["CREATE"]
    apiGroups: [""]
    apiVersions: ["v1", "v1beta1"]
    resources: ["pods", "daemonsets"]

But, I get errors

datadog-agent-tfrws datadog-agent 2019-07-11 23:54:55 UTC | CORE | ERROR | (pkg/forwarder/transaction.go:179 in Process) | API Key invalid, dropping transaction for https://6-12-1-app.agent.datadoghq.com/intake/?api_key=*************************rglas://<bucket_name>/datadog_api_key

sonots commented 5 years ago

I got it. I needed to specify command. Following change made it work. Thanks!

      containers:
      - name: datadog-agent
        image: datadog/agent:latest
         imagePullPolicy: Always
+        command: ["/init"]

sethvargo commented 5 years ago

Ah yes, this is documented at the bottom. The command is needed because Kubernetes can't introspect the command set in the Dockerfile - it has to be set in the manifest.