A convenient wrapper for getting secrets from HashiCorp Vault in Kubernetes
Project description
ytkubevault
ytkubevault is a light wrapper of abilities to read secrets from HashiCorp Vault running in Kubernetes.
When the microservice needs to fetch the secret value from
Vault, it has to read a token from its containing pod first.
Then this token is used to communicate with Vault in order to
obtain a second token. Your service uses the second token to
get the secrets. ytkubevault simplifies this process with one
function get_secret_or_env(key: default:)
, which first tries
to obtain the secret from Vault, and if that didn't succeed,
reads it from the environment. A default value can be provided
as the last resort.
This is especially convenient when you are developing locally, or the application is being built in a CI/CD pipeline where the first token is not available.
Install
pip install ytkubevault
Usage
First define the following environment variables:
- VAULT_ENABLED
- VAULT_ROLE
- VAULT_URL
- VAULT_SECRETS_PATH
By default, VAULT_ENABLED
is "false"
. To enable reading from Vault,
set it to be "true"
, case-insensitive. And then,
from ytkubevault import get_secret_or_env
db_password = get_secret_or_env("DATABASE_PASSWORD")
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ytkubevault-0.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 699de9556644d288de99d5e1d5a3170b651877726c4d1a007e44de7082880930 |
|
MD5 | 78146e5727314e7ad17a71b22c0c9f26 |
|
BLAKE2b-256 | 088bc14ec4d812bb4955e1d345bcb01048e371de738533466aa618100c722408 |