A convenient wrapper for getting secrets from HashiCorp Vault in Kubernetes
Project description
ytkubevault
ytkubevault is a light wrapper of abilities to read secrets from HashiCorp Vault running in Kubernetes.
When the microservice needs to fetch the secret value from
Vault, it has to read a token from its containing pod first.
Then this token is used to communicate with Vault in order to
obtain a second token. Your service uses the second token to
get the secrets. ytkubevault simplifies this process with one
function get_secret_or_env(key: default:)
, which first tries
to obtain the secret from Vault, and if that didn't succeed,
reads it from the environment. A default value can be provided
as the last resort.
This is especially convenient when you are developing locally, or the application is being built in a CI/CD pipeline where the first token is not available.
Install
pip install ytkubevault
Usage
First define the following environment variables:
- VAULT_ENABLED
- VAULT_ROLE
- VAULT_URL
- VAULT_SECRETS_PATH
By default, VAULT_ENABLED
is "false"
. To enable reading from Vault,
set it to be "true"
, case-insensitive. And then,
from ytkubevault import get_secret_or_env
db_password = get_secret_or_env("DATABASE_PASSWORD")
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ytkubevault-0.1.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ad83f2492fbe2f9c83306126ff3a684b1ef2ffc4fb1a33ddf9a2716a5b9c8251 |
|
MD5 | dbd7855f861f69c7939923c5dd8a080b |
|
BLAKE2b-256 | 9cba3adeb5d84f18afa405b124a1dfc9b8516b615edf870c442dc68c38472ae0 |