Skip to content
This repository has been archived by the owner on Aug 3, 2021. It is now read-only.

eburghar/cconfd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

cmd

cmd

 
 

common

common

 
 

components

components

 
 

deps

deps

 
 

interfaces

interfaces

 
 

test

test

 
 

BUILD

BUILD

 
 

LICENSE-APACHE

LICENSE-APACHE

 
 

LICENSE-MIT

LICENSE-MIT

 
 

README.md

README.md

 
 

WORKSPACE

WORKSPACE

 
 

Repository files navigation

cconfd

This project been superseded by rconfd.

cconfd is an utility for containers, written in c++, to generate config files from jsonnet templates, and keep them in sync with secrets fetched from a vault server with kubernetes authentication. It can use the simple and yet effective startup notification mechanism of the s6 supervision suite to signal other services that their configuration files have been generated and it can launch arbitrary command when configuration change.

Usage

cconfd {OPTIONS}

    Generate files with jsonnet and vault secrets using kubernetes
    authentication

  OPTIONS:

      -h, --help                        Display this help menu
      -d[dir], --dir=[dir]              The config directory
      -u[url], --url=[url]              The vault url
      -c[path], --cacert=[path]         the vault ca certificate authority
      -t[path], --token=[path]          Path of kubernetes token
      -s[seconds], --sleep=[seconds]    time to sleep in main loop
      -v, --verbose                     Level of verbosity
      -r[readiness descriptor],
      --readiness=[readiness
      descriptor]

cconfd --url http://vault:8200/v1 --dir /etc/cconfd --token /var/run/secrets/kubernetes.io/serviceaccount/token --ca /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

In an infinite loop it :

  1. logs into vault with kubernetes service account token (jwt),
  2. gets a list of secrets and injects them as a secrets variable in the preamble of a jsonnet template,
  3. evaluates template in multi manifest mode,
  4. saves each root keys of the returned evaluation dictionary as a file. The keys are filenames relatively to dir, and their values should be a strings,
  5. calls the cmd command if any generated files have changed
{
    "service": {
        "dir": "/var/lib/service",
        "tmpl": "/etc/cconfd/tmpl/service.jsonnet",
        "mode": "0644",
        "role": "demo",
        "secrets": {
            "account": "vault:secret/data/demo/account",
            "db": "vault:database/creds/demo"
        },
        "cmd": "/bin/s6-svc -h /var/run/s6/services/myservice"
    }
}

secrets is a map of variable name and secret path. The variable is accessible in jsonnet template as a key from the secrets local variable and the path follows the syntax back-end:path. You can use variable substitutions in path (ex: vault:/secret/data/${NAMESPACE}/mail)

There are 3 back-ends for secrets

  • vault: followed by the path of the secret. The value will be a json value.
  • file: followed by the path of the file. The value will be a string
  • env: followed by the name of the variable. The value will be a string

Building

The project use bazel build system

bazel build //:all //test:all

About

Generate files with jsonnet and vault secrets using kubernetes authentification

Topics

vault confd

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages