Skip to content

v3.0.0 Remove envconsul dependency from theatre-envconsul
Compare
Choose a tag to compare
@theobarberbany theobarberbany released this 01 Mar 11:11
· 170 commits to master since this release
v3.0.0
7e2d3ea
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Previously we've shelled-out to the envconsul binary in order to
retrieve our secret material from Vault. Through this we've discovered
several shortcomings:

  • Failure to provision 'secret files' which have large/non-ASCII bodies.
  • Failure to provision environment variables which are referencing the
    same Vault key path.
  • Hanging when a process is wrapped with envconsul but there's no
    secret material to fetch.
  • Workarounds required for shellwords splitting.

By removing envconsul and implementing the fetching from Vault
ourselves we simplify the code significantly and end up with something
that's more performant and easy to reason about, as well as fixing the
above issues.

We also change the namespace annotation to enable the webhook from
envconsul-secrets-injector to theatre-secrets-injector. We retain
support for the old pod annotation envconsul-injector.vault.crd.gocardless.com
to allow for a phased migration.

e1820c8 theatre-envconsul: add support for writing files
8e45f2c theatre-envconsul: Fix double error logging
4f9b21d theatre-envconsul: Log envconsul output upon failure
32c81b5 theatre-envconsul: acceptance test for vault-file support
daf489b Remove envconsul dependency from theatre-envconsul
08844bf Update tests for theatre-secrets/envconsul
d272c98 %s/envconsul/secrets/g
b8159db theatre-secrets: support old theatre-envconsul annotation

Assets 2
Loading