A convenient wrapper for getting secrets from HashiCorp Vault in Kubernetes
Project description
ytkubevault
ytkubevault is a light wrapper of abilities to read secrets from HashiCorp Vault running in Kubernetes.
When the microservice needs to fetch the secret value from
Vault, it has to read a token from its containing pod first.
Then this token is used to communicate with Vault in order to
obtain a second token. Your service uses the second token to
get the secrets. ytkubevault simplifies this process with one
function get_secret_or_env(key: default:)
, which first tries
to obtain the secret from Vault, and if that didn't succeed,
reads it from the environment. A default value can be provided
as the last resort.
This is especially convenient when you are developing locally, or the application is being built in a CI/CD pipeline where the first token is not available.
Install
pip install ytkubevault
Usage
First define the following environment variables:
- VAULT_ENABLED
- VAULT_ROLE
- VAULT_URL
- VAULT_SECRETS_PATH
By default, VAULT_ENABLED
is "false"
. To enable reading from Vault,
set it to be "true"
, case-insensitive. And then,
from ytkubevault import get_secret_or_env
db_password = get_secret_or_env("DATABASE_PASSWORD")
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ytkubevault-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0ad1ac0b2c00a42f5c47268e1bfd7786a7c13afdcc424a20b351ba86bdc1b524 |
|
MD5 | fa92197e53d2d3b6b2ee2e79d9d7e59c |
|
BLAKE2b-256 | 12dbc7762e8943248ed2198ffd23bea010e5fa188879a0a0874fa0320de466af |