A convenient wrapper for getting secrets from HashiCorp Vault in Kubernetes
Project description
ytkubevault
ytkubevault is a light wrapper of abilities to read secrets from HashiCorp Vault running in Kubernetes.
When the microservice needs to fetch the secret value from
Vault, it has to read a token from its containing pod first.
Then this token is used to communicate with Vault in order to
obtain a second token. Your service uses the second token to
get the secrets. ytkubevault simplifies this process with one
function get_secret_or_env(key: default:)
, which first tries
to obtain the secret from Vault, and if that didn't succeed,
reads it from the environment. A default value can be provided
as the last resort.
This is especially convenient when you are developing locally, or the application is being built in a CI/CD pipeline where the first token is not available.
Install
pip install ytkubevault
Usage
First define the following environment variables:
- VAULT_ENABLED
- VAULT_ROLE
- VAULT_URL
- VAULT_SECRETS_PATH
By default, VAULT_ENABLED
is "false"
. To enable reading from Vault,
set it to be "true"
, case-insensitive. And then,
from ytkubevault import get_secret_or_env
db_password = get_secret_or_env("DATABASE_PASSWORD")
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ytkubevault-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7c8ec2e5b0c7b084948c4aff8e2992ab4ac3970c37b5a93a78048c12565b622e |
|
MD5 | 10c8fe5604506eb8882d3de7cca38bb3 |
|
BLAKE2b-256 | 10b4b411863c388d214acddae562e1ee047a713a91160bca2fc17e3158fc5a80 |