add inject-vault-credentials-agent-aws-gcp-key rule (#406)

utilitywarehouse · Nov 18, 2024 · 4508a8a · 4508a8a
1 parent 93c3335
commit 4508a8a
Showing 1 changed file with 119 additions and 0 deletions.
diff --git a/kyverno/policies/pods/injectSidecar.yaml b/kyverno/policies/pods/injectSidecar.yaml
@@ -460,6 +460,125 @@ spec:
               - name: vault-tls
                 configMap:
                   name: vault-tls
+    - name: inject-vault-credentials-agent-aws-gcp-key
+      context:
+        - name: POD_NAMESPACE
+          variable:
+            jmesPath: request.object.metadata.namespace
+        - name: POD_SERVICE_ACCOUNT
+          variable:
+            jmesPath: request.object.spec.serviceAccountName
+      match:
+        any:
+          - resources:
+              annotations:
+                uw.systems/kyverno-inject-sidecar-request: "vault-sidecar-aws-gcp-key"
+              kinds:
+                - Pod
+              operations:
+                - CREATE
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              uw.systems/kyverno-inject-sidecar-status: "injected"
+          spec:
+            initContainers:
+              - name: vault-credentials-agent-aws
+                image: quay.io/utilitywarehouse/vault-kube-cloud-credentials:v0.9.1
+                restartPolicy: Always
+                startupProbe:
+                  exec:
+                    command:
+                      - /bin/sh
+                      - -c
+                      - |
+                        while ! nc -w 1 127.0.0.1 8098; do sleep 1; done
+                args:
+                  - sidecar
+                  - -vault-role={{ VKAC_ENVIRONMENT }}_aws_{{ POD_NAMESPACE }}_{{ POD_SERVICE_ACCOUNT }}
+                env:
+                  - name: VAULT_CACERT
+                    value: "/etc/tls/ca.crt"
+                  - name: VAULT_ADDR
+                    value: "https://vault.sys-vault:8200"
+                ports:
+                  - name: metrics
+                    containerPort: 8099
+                    protocol: TCP
+                resources:
+                  requests:
+                    cpu: 0m
+                    memory: 25Mi
+                  limits:
+                    cpu: 1000m
+                    memory: 100Mi
+                volumeMounts:
+                  - name: vault-tls
+                    mountPath: /etc/tls
+              - name: vault-credentials-agent-gcp
+                image: quay.io/utilitywarehouse/vault-kube-cloud-credentials:v0.9.1
+                restartPolicy: Always
+                startupProbe:
+                  exec:
+                    command:
+                      - test
+                      - -e
+                      - /gcp/sa.json
+                  failureThreshold: 5
+                  periodSeconds: 15
+                args:
+                  - sidecar
+                  - -vault-static-account={{ VKAC_ENVIRONMENT }}_gcp_{{ POD_NAMESPACE }}_{{ POD_SERVICE_ACCOUNT }}
+                  - -secret-type=service_account_key
+                env:
+                  - name: GOOGLE_APPLICATION_CREDENTIALS
+                    value: "/gcp/sa.json"
+                  - name: VAULT_CACERT
+                    value: "/etc/tls/ca.crt"
+                  - name: VAULT_ADDR
+                    value: "https://vault.sys-vault:8200"
+                ports:
+                  - name: metrics
+                    containerPort: 8099
+                    protocol: TCP
+                resources:
+                  requests:
+                    cpu: 0m
+                    memory: 25Mi
+                  limits:
+                    cpu: 1000m
+                    memory: 100Mi
+                volumeMounts:
+                  - name: gcp
+                    mountPath: /gcp
+                  - name: vault-tls
+                    mountPath: /etc/tls
+              - (name): "*"
+                env:
+                  - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
+                    value: "http://127.0.0.1:8098/credentials"
+                  - name: GOOGLE_APPLICATION_CREDENTIALS
+                    value: "/gcp/sa.json"
+                volumeMounts:
+                  - name: gcp
+                    mountPath: /gcp
+            containers:
+              - (name): "*"
+                env:
+                  - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
+                    value: "http://127.0.0.1:8098/credentials"
+                  - name: GOOGLE_APPLICATION_CREDENTIALS
+                    value: "/gcp/sa.json"
+                volumeMounts:
+                  - name: gcp
+                    mountPath: /gcp
+            volumes:
+              - name: gcp
+                emptyDir: {}
+              - name: vault-tls
+                configMap:
+                  name: vault-tls
     - name: inject-vault-init-container-aws
       context:
         - name: POD_NAMESPACE