Merge pull request #226 from gocardless/benwh/vault-files-bug

.dockerignore

@@ -7,5 +7,5 @@ config/
 
 # Acceptance test suites don't need recompiling into our docker image
 cmd/acceptance/
-cmd/theatre-envconsul/acceptance/
+cmd/theatre-secrets/acceptance/
 pkg/workloads/console/acceptance/

.goreleaser.yml

@@ -24,9 +24,9 @@ builds:
       - CGO_ENABLED=0
 
   - <<: *commonBuildConfig
-    id: theatre-envconsul
-    binary: theatre-envconsul
-    main: cmd/theatre-envconsul/main.go
+    id: theatre-secrets
+    binary: theatre-secrets
+    main: cmd/theatre-secrets/main.go
 
   - <<: *commonBuildConfig
     id: vault-manager

Dockerfile

@@ -2,15 +2,6 @@
 FROM golang:1.14.5 as builder
 WORKDIR /go/src/github.com/gocardless/theatre
 
-# Clone our fork of envconsul and build it
-RUN set -x \
-      && git clone https://github.com/gocardless/envconsul.git \
-      && cd envconsul \
-      && git checkout 2eb7fdc4dd1a13464e9a529e324ffd9b8d12ce25 \
-      && make linux/amd64 \
-      && mkdir ../bin \
-      && mv pkg/linux_amd64/envconsul ../bin
-
 COPY . /go/src/github.com/gocardless/theatre
 RUN make VERSION=$(cat VERSION) build
 

Makefile

@@ -1,4 +1,4 @@
-PROG=bin/rbac-manager bin/vault-manager bin/theatre-envconsul bin/workloads-manager bin/theatre-consoles
+PROG=bin/rbac-manager bin/vault-manager bin/theatre-secrets bin/workloads-manager bin/theatre-consoles
 PROJECT=github.com/gocardless/theatre
 IMAGE=eu.gcr.io/gc-containers/gocardless/theatre
 VERSION=$(shell git rev-parse --short HEAD)-dev
@@ -37,7 +37,7 @@ vet:
 	go vet ./cmd/rbac-manager/...
 	go vet ./cmd/vault-manager/...
 	go vet ./cmd/workload-manager/...
-	go vet ./cmd/theatre-envconsul/...
+	go vet ./cmd/theatre-secrets/...
 
 generate: controller-gen
 	$(CONTROLLER_GEN) object paths="./apis/rbac/..."

README.md

@@ -47,8 +47,8 @@ expected to create or mutate pods, deployments, etc.
 Utilities for interacting with Vault. Primarily used to inject secret material
 into pods by use of annotations.
 
-- `envconsul-injector.vault.crd.gocardless.com` webhook for injecting the
-  `theatre-envconsul` tool to populate a container's environment with secrets
+- `secrets-injector.vault.crd.gocardless.com` webhook for injecting the
+  `theatre-secrets` tool to populate a container's environment with secrets
   from Vault before executing.
 
 ## Command line interfaces
@@ -63,11 +63,11 @@ list, attach to and authorise [consoles](#workloads).
 
 Run: `go run cmd/theatre-consoles/main.go`
 
-### theatre-envconsul
+### theatre-secrets
 
-See the [command README](cmd/theatre-envconsul/README.md) for further details.
+See the [command README](cmd/theatre-secrets/README.md) for further details.
 
-Run: `go run cmd/theatre-envconsul/main.go`
+Run: `go run cmd/theatre-secrets/main.go`
 
 ## Getting Started
 

apis/vault/v1alpha1/README.md

@@ -1,8 +1,7 @@
 # vault
 
-[envconsul]: https://github.com/hashicorp/envconsul
-[theatre-envconsul]: ../../../cmd/theatre-envconsul
-[theatre-envconsul-acceptance]: ../../../cmd/theatre-envconsul/acceptance/acceptance.go
+[theatre-secrets]: ../../../cmd/theatre-secrets
+[theatre-secrets-acceptance]: ../../../cmd/theatre-secrets/acceptance/acceptance.go
 
 This package contains any CRDs and webhooks GoCardless use to interact with
 Vault. At present, the only thing we provide is a webhook to automatically
@@ -24,18 +23,18 @@ supported by the Vault ecosystem.
 Instead, we've built a webhook that listens for pods with an annotations like:
 
 ```
-envconsul-injector.vault.crd.gocardless.com/configs: app:config/env.yaml
+secrets-injector.vault.crd.gocardless.com/configs: app:config/env.yaml
 ```
 
 When our webhook sees this annotation, it tries configuring the `app` container
 to pull secrets from Vault, using the configuration from the `config/env.yaml`
 file within the container. It resolves these secrets and sets them as
 environment variables, finally running the original container process.
 
-The webhook makes use of the [`theatre-envconsul`][theatre-envconsul] command to
+The webhook makes use of the [`theatre-secrets`][theatre-secrets] command to
 perform an authentication dance with Vault. Once we've acquired a Vault token,
 we translate our simple [configuration file format](#config) into a Hashicorp
-[envconsul][envconsul] config file, then use envconsul to perform the fetching
+[secrets][secrets] config file, then use secrets to perform the fetching
 and lease-management of the secret values.
 
 ## Configuring Vault
@@ -49,15 +48,33 @@ authentication exchange works as follows:
   review request against the API server configured on this auth backend. If the
   request succeeds, we know the token is valid, and we permit the login
 
-The theatre-envconsul acceptance tests verify this flow against a Vault server.
-If anything is unclear, look at the [Prepare][theatre-envconsul-acceptance]
+The theatre-secrets acceptance tests verify this flow against a Vault server.
+If anything is unclear, look at the [Prepare][theatre-secrets-acceptance]
 method for how we configure the test Vault server.
 
 ## How does the webhook work
 
 Once installed, the webhook will listen for containers with a specific
 annotation:
 
+```yaml
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app
+  annotations:
+    "secrets-injector.vault.crd.gocardless.com/configs": "app"
+    "envconsul-injector.vault.crd.gocardless.com/configs": "app"
+spec:
+  containers:
+    - name: app
+      command:
+        - env
+```
+Currently we still support the now deprecated envconsul-injector annotation as
+well. The two should not be used together.
+
 ```yaml
 ---
 apiVersion: v1
@@ -77,14 +94,11 @@ We will modify this pod to do the following...
 
 ### 1. Install binaries
 
-Add an init container that installs `theatre-envconsul` and the Hashicorp
-[envconsul][envconsul] tool into a temporary installation path volume. We use
-a default storage medium (likely a physical disk backed root filesystem) for
-storage, as the sum of these injected binaries can become quite large.
-
-This installation volume will be mounted into any of the containers that are
-targeted by the `envconsul-injector.vault.crd.gocardless.com/configs`
-annotation. In our example, this means the `app` container is the only target.
+Add an init container that installs the `theatre-secrets` tool into a temporary
+installation path volume. We use a default storage medium. This installation
+volume will be mounted into any of the containers that are targeted by the
+`secrets-injector.vault.crd.gocardless.com/configs` annotation. In our example,
+this means the `app` container is the only target.
 
 ```yaml
 ---
@@ -93,26 +107,26 @@ kind: Pod
 metadata:
   name: app
   annotations:
-    "envconsul-injector.vault.crd.gocardless.com/configs": "app"
+    "secrets-injector.vault.crd.gocardless.com/configs": "app"
 spec:
   initContainers:
-    - name: theatre-envconsul-injector
+    - name: theatre-secrets-injector
       image: theatre:latest
       imagePullPolicy: IfNotPresent
       command:
-        - theatre-envconsul
+        - theatre-secrets
         - install
         - --path
         - /var/run/theatre
       volumeMounts:
         - mountPath: /var/run/theatre
-          name: theatre-envconsul-install
+          name: theatre-secrets-install
   containers:
     - name: app
       command:
         - env
   volumes:
-    - name: theatre-envconsul-install
+    - name: theatre-secrets-install
       emptyDir: {}
 ```
 
@@ -134,33 +148,33 @@ kind: Pod
 metadata:
   name: app
   annotations:
-    "envconsul-injector.vault.crd.gocardless.com/configs": "app"
+    "secrets-injector.vault.crd.gocardless.com/configs": "app"
 spec:
   initContainers: ...
   containers:
     - name: app
       command:
         - env
       volumeMounts:
-        - name: theatre-envconsul-serviceaccount
+        - name: theatre-secrets-serviceaccount
           mountPath: /var/run/secrets/kubernetes.io/vault
   volumes:
-    - name: theatre-envconsul-install
+    - name: theatre-secrets-install
       emptyDir: {}
-    - name: theatre-envconsul-serviceaccount
+    - name: theatre-secrets-serviceaccount
       projected:
         sources:
           - serviceAccountToken:
               path: token
               expirationSeconds: 900
 ```
 
-### 3. Prepend theatre-envconsul inject
+### 3. Prepend theatre-secrets inject
 
 The container must resolve secrets before we run the original command. We use
-theatre-envconsul to perform the resolution, then exec the original container
+theatre-secrets to perform the resolution, then exec the original container
 command. The application container has access to the theatre binaries via the
-init container, having installed them in the `theatre-envconsul-install` volume:
+init container, having installed them in the `theatre-secrets-install` volume:
 
 ```yaml
 ---
@@ -169,13 +183,13 @@ kind: Pod
 metadata:
   name: app
   annotations:
-    "envconsul-injector.vault.crd.gocardless.com/configs": "app"
+    "secrets-injector.vault.crd.gocardless.com/configs": "app"
 spec:
   initContainers: ...
   containers:
     - name: app
       command:
-        - /var/run/theatre/theatre-envconsul
+        - /var/run/theatre/theatre-secrets
       args:
         - exec
         - --vault-address=http://vault.vault.svc.cluster.local:8200
@@ -185,14 +199,14 @@ spec:
         - --
         - env
       volumeMounts:
-        - name: theatre-envconsul-install
+        - name: theatre-secrets-install
           mountPath: /var/run/theatre
-        - name: theatre-envconsul-serviceaccount
+        - name: theatre-secrets-serviceaccount
           mountPath: /var/run/secrets/kubernetes.io/vault
   volumes:
-    - name: theatre-envconsul-install
+    - name: theatre-secrets-install
       emptyDir: {}
-    - name: theatre-envconsul-serviceaccount
+    - name: theatre-secrets-serviceaccount
       projected:
         sources:
           - serviceAccountToken: