This project been superseded by rconfd.
cconfd
is an utility for containers, written in c++, to generate config files
from jsonnet templates, and keep them in sync with
secrets fetched from a vault server with kubernetes
authentication. It can use the simple and yet effective
startup notification mechanism of the s6 supervision
suite to signal other services that their configuration files have been generated
and it can launch arbitrary command when configuration change.
cconfd {OPTIONS}
Generate files with jsonnet and vault secrets using kubernetes
authentication
OPTIONS:
-h, --help Display this help menu
-d[dir], --dir=[dir] The config directory
-u[url], --url=[url] The vault url
-c[path], --cacert=[path] the vault ca certificate authority
-t[path], --token=[path] Path of kubernetes token
-s[seconds], --sleep=[seconds] time to sleep in main loop
-v, --verbose Level of verbosity
-r[readiness descriptor],
--readiness=[readiness
descriptor]
cconfd --url http://vault:8200/v1 --dir /etc/cconfd --token /var/run/secrets/kubernetes.io/serviceaccount/token --ca /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
In an infinite loop it :
- logs into vault with kubernetes service account token (jwt),
- gets a list of secrets and injects them as a
secrets
variable in the preamble of a jsonnet template, - evaluates template in multi manifest mode,
- saves each root keys of the returned evaluation dictionary as a file. The keys are filenames relatively to
dir
, and their values should be a strings, - calls the
cmd
command if any generated files have changed
{
"service": {
"dir": "/var/lib/service",
"tmpl": "/etc/cconfd/tmpl/service.jsonnet",
"mode": "0644",
"role": "demo",
"secrets": {
"account": "vault:secret/data/demo/account",
"db": "vault:database/creds/demo"
},
"cmd": "/bin/s6-svc -h /var/run/s6/services/myservice"
}
}
secrets
is a map of variable name and secret path. The variable is accessible in jsonnet template as a key from
the secrets
local variable and the path follows the syntax back-end:path
. You can use variable substitutions
in path (ex: vault:/secret/data/${NAMESPACE}/mail
)
There are 3 back-ends for secrets
vault:
followed by the path of the secret. The value will be a json value.file:
followed by the path of the file. The value will be a stringenv:
followed by the name of the variable. The value will be a string
The project use bazel build system
bazel build //:all //test:all