atarraya

atarraya is a solution designed to inject secrets from an Azure Key Vault into Pods running in Azure Kubernetes Service (AKS), using environment variables.

With atarraya it's possible to avoid the use of Kubernetes secrets and any code modification related to connecting and querying secrets from an Azure Key Vault.

This project is an evolution of my work on az-keyvault-reader and inspired by the following post: Inject secrets directly into Pods from Vault revisited by Nandor Kracser for BanzaiCloud

Killing the project in favor of Dapr

Since Enable GET for secret stores to dynamically fetch secrets work was finished and merged please use Dapr as the standard way to access secrets via a sidecar.

Disclaimer

atarraya is not production ready

Components

• atarraya-webhook: A Mutating Admission Webhook designed to inject an executable (atarraya) into the containers inside Pods in such a way that the containers runs it instead of running the original application.
• atarraya: A wrapper executable designed to read secrets from an Azure Key Vault and inject them as environment variables into a process that runs the original application of the containers.

Dependencies

atarraya works better if used with AAD Pod Identities.

atarraya-webhook Installation

To install run:

git clone https://github.com/cmendible/atarraya.git
helm install atarraya-webhook ./atarraya/charts/atarraya-webhook --namespace kube-system

To uninstall run:

helm uninstall atarraya-webhook --namespace kube-system

How it works

1. When a deployment is pushed to Kubernetes, atarraya-webhook check for the atarraya/keyvault annotation to see if it needs to do its magic.
2. If the atarraya/keyvault annotation is present, atarraya-webhook proceeds as follows:
   1. Mutates each container so it executes atarraya instead of the original application
   2. Mounts the volume named atarraya-volume where the atarraya will live
   3. Injects an init container named az-atarraya-init which copies the atarraya executable into the atarraya-volume volume.
   4. Injects a memory based volume named atarraya-volume
   5. And injects an annotation to mark the container to avoid duplicate processing.
3. With atarraya-webhook's work finished the init container runs and copies the atarraya executable into the atarraya-volume volume
4. Then the container runs atarraya which does the following:
   1. Reads all environment variables
   2. If environment variables starting with ATARRAYA_SECRET_ exists, the executable strips the ATARRAYA_SECRET_ prefix from the name of the variables and use the remaining value to querie for secrets in the Azure Key Vault specified by the atarraya/keyvault annotation.
   3. A new process is started where secrets are injected as environment variables without the ATARRAYA_SECRET_ prefix and the original application of the container is executed.

Sample

Deploying the following yaml to Kubernetes:

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: az-atarraya-test
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: az-atarraya-test
        aadpodidbinding: requires-vault
      annotations:
        atarraya/keyvault: <KEYVAULT NAME>
    spec:
      containers:
        - name: testbox
          image: alpine:3.10
          command: ["sh", "-c", "echo $<SECRET NAME>"]
          imagePullPolicy: IfNotPresent
          env:
            - name: ATARRAYA_SECRET_<SECRET NAME>
          resources:
            requests:
              memory: "16Mi"
              cpu: "100m"
            limits:
              memory: "32Mi"
              cpu: "200m"

will result in the following running inside the cluster:

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: az-atarraya-test
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: az-atarraya-test
        aadpodidbinding: requires-vault
    spec:
      initContainers:
        - name: az-atarraya-init
          image: cmendibl3/atarraya:0.1
          imagePullPolicy: Always
          command: ["sh", "-c", "cp /usr/local/bin/atarraya /atarraya/"]
          volumeMounts:
            - mountPath: "/atarraya/"
              name: atarraya-volume
      containers:
        - name: testbox
          image: alpine:3.10
          command:
            - /atarraya/atarraya
          args:
            - sh
            - -c
            - echo $<SECRET NAME>
          imagePullPolicy: IfNotPresent
          env:
            - name: ATARRAYA_SECRET_<SECRET NAME>
            - name: ATARRAYA_AZURE_KEYVAULT_NAME
              value: "<KEYVAULT NAME>"
          resources:
            requests:
              memory: "16Mi"
              cpu: "100m"
            limits:
              memory: "32Mi"
              cpu: "200m"
          volumeMounts:
            - mountPath: "/atarraya/"
              name: atarraya-volume
      volumes:
        - name: atarraya-volume
          emptyDir:
            medium: Memory

What's the meaning of atarraya?

atarraya is the Venezuelan name for a kind of fishing net which is thrown by hand in such a manner that it spreads out while it's in the air before it sinks into the water.