bank-vaults / vault-secrets-webhook

A Kubernetes mutating webhook that makes direct secret injection into Pods possible.
https://bank-vaults.dev/docs/mutating-webhook/
Apache License 2.0
52 stars 18 forks source link
kubernetes-webhook vault

Vault Secrets Webhook

GitHub Workflow Status OpenSSF Scorecard OpenSSF Best Practices Artifact Hub

A Kubernetes mutating webhook that makes direct secret injection into Pods possible.

Documentation

The official documentation for the webhook is available at https://bank-vaults.dev.

Development

For an optimal developer experience, it is recommended to install Nix and direnv.

Alternatively, install Go on your computer then run make deps to install the rest of the dependencies.

Make sure Docker is installed with Compose and Buildx.

Fetch required tools:

make deps

Run project dependencies:

make up

Run the webhook:

make -j run forward

Run the test suite:

make test
make test-e2e-local

Run linters:

make lint # pass -j option to run them in parallel

Some linter violations can automatically be fixed:

make fmt

Build artifacts locally:

make artifacts

Once you are done, you can tear down project dependencies:

make down

Running e2e tests

The project comes with an e2e test suite that is mostly self-contained, but at the very least, you need Docker installed.

By default, the suite launches a KinD cluster, deploys all necessary components and runs the test suite. This is a good option if you want to run the test suite to make sure everything works. This is also how the CI runs the test suite (with a few minor differences).

You can run the test suite by running the following commands:

make test-e2e-local

Another way to run the test suite is using an existing cluster. This may be a better option if you want to debug tests or figure out why something isn't working.

Set up a Kubernetes cluster of your liking. For example, launch a KinD cluster:

kind create cluster

Deploy the necessary components (including the webhook itself):

garden deploy

Run the test suite:

make BOOTSTRAP=false test-e2e

License

The project is licensed under the Apache 2.0 License.