Introduction to the Client

The client container fetches and periodically updates a configuration file stored at a shared volume. This is defined as a shared volume by the pods within the container (see example.yml).

Be sure in your application container to add a volume mount to the shared information, as follows.

Copy

volumeMounts:
- name: client-volume
    mountPath: /var/secret/

For the container running the DSV client, you should define the following as environment variables:

Copy

env:
- name: REFRESH_TIME
    value: 5s
- name: THY_SECRETS
    value: resources/us-east-1/server1
- name: POD_IP
    valueFrom:
    fieldRef:
        fieldPath: status.podIP
- name: POD_NAME
    valueFrom:
    fieldRef:
        fieldPath: metadata.name

THY_SECRETS defines the path(s) of the secrets the container uses. This is a list separated by spaces.

Example YAML

Copy

apiVersion: v1
kind: Secret
metadata:
  name: thycotic-keys
  namespace: default
type: Opaque

---

apiVersion: v1
kind: Deployment
metadata:
  name: secret-example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: secret-example
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 1
  template:
    metadata:
      labels:
        app: secret-example
      annotations:
        dsv: testtenant
    spec:
      containers:
      - name: bambe-example
        image: <your app image>
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: client-volume
          mountPath: /var/secret/
      - name: bambe-client
        image: thycotic/dsv-k8s-client:<tagname>
        imagePullPolicy: IfNotPresent
        env:
        - name: REFRESH_TIME
          value: 5s
        - name: THY_SECRETS
          value: resources/us-east-1/server1
        - name: LOG_LEVEL
          value: error
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
          fieldRef:
            fieldPath: metadata.namespace
          - name: POD_SERVICEACCOUNT
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
         volumeMounts:
        - name: client-volume
          mountPath: /var/secret/
          readOnly: false
        - name: secretkey
          mountPath: /tmp/keys
          readOnly: true
      volumes:
      - name: client-volume
        emptyDir: {}
      - name: secretkey
        secret:
          secretName: thycotic-keys