
Kubernetes Mutating Webhook to inject Vault-Creds Sidecar into pods

Primary LanguageGoApache License 2.0Apache-2.0


Mutating webhook that injects the Vault-Creds sidecar into pods on pod creation using a custom resource for configuration.

Note: vault-webhook will only inject sidecar into pods which are in namespace labelled with vault-webhook=enabled.


The webhook will do four things:

  • Add a volume called vault-creds this is where you will find your credentials
  • VolumeMount the vault-creds volume into your existing containers
  • Add an init-container called vault-creds-<database-role>-init
  • Add a container called vault-creds-<database-role>

It does this by checking the service account on your pod against custom resources called DatabaseCredentialBindings. This resource links your ServiceAccount to a Database and role Example DatabaseCredentialBinding:

apiVersion: vaultwebhook.uswitch.com/v1alpha1
kind: DatabaseCredentialBinding
  name: mybinding
  namespace: mynamespace
  serviceAccount: my_service_account
  database: mydb
  role: readonly
  outputPath: /config #Optional: defaults to /etc/database
  outputFile: mycreds #Optional: defaults to database-role

The webhook expects there to be a volume called vault-template already there, this volume should be a configmap and it should contain a file called database-role e.g mydb-readonly which will be used for templating your credentials. It will output the credentials to a file called /etc/database/database-role in the vault-creds volume. Note that the path where the file is found and the name of the file can be changed using the outputPath and outputFile fields in the CRD respectively.

Example Deployment:

apiVersion: apps/v1
kind: Deployment
  name: myapp
  namespace: mynamespace
  replicas: 1
      serviceAccountName: my_service_account
      - name: myapp
        - --db-creds=/etc/database/mydb-readonly
      - name: vault-template
          name: my-template


usage: vault-webhook-linux-amd64 --vault-address=VAULT-ADDRESS --login-path=LOGIN-PATH --sidecar-image=SIDECAR-IMAGE [<flags>]

  --help                         Show context-sensitive help (also try --help-long and --help-man).
  --vault-address=VAULT-ADDRESS  URL of vault
  --vault-ca-path=VAULT-CA-PATH  Path to the CA cert for vault
  --login-path=LOGIN-PATH        Kubernetes auth login path for vault
  --sidecar-image=SIDECAR-IMAGE  Vault-creds sidecar image to use
                                 URL of Push Gateway
                                 The format for the path used for reading database credentials, where the first %s is the database name and the second %s is the role
  --server-address=":8443"       The address the webhook server will listen on.