Comments (6)
Linking the slack thread here for future reference.
from secrets-store-csi-driver-provider-azure.
Writing down recommendations from the slack thread:
- Use the upcoming secret sync controller to have full offline support (i.e. tolerate any form of failure, not just one AKV region having an issue)
- Write a generic provider that can multiplex across N providers (which could be different types altogether)
- Work with sig-storage folks to expand CSI drivers to support optional volume mounts so that N providers can be used to provide the same secrets
from secrets-store-csi-driver-provider-azure.
This is the slack thread in sig-storage
.
I'd like to respectfuly say, all the options seem as: "do it from your side or go to another place".
It is a fact that the component isn't resilient to any kind of disruption, which can be a no-go for productive scenarios.
Not storing the secrets in k8s API is the main reason for using the csi. Storing the secrets in k8s API instead of a fallback/failover/justanothercall it's already managed by other 3rd parties and it's quite less secure than using CSI.
from secrets-store-csi-driver-provider-azure.
Hi again ✋ !
I've presented the topic in the SIG-Storage meeting (Jan 25th) where there's been a SIG lead and the conclusion from the SIG is that it's the CSI-drive (this component) who has to handle the failures and high availability features as making the volume optional, only moves the problem from the k8s layer to the application layer.
Is it now something open to discuss or doing it by myself the only option that's left?
Currently, the component isn't resilient to Azure Key Vault failures and it's a single point of failure indeed, which is a problem at least for us (and that's why we are willing to contribute with this)
from secrets-store-csi-driver-provider-azure.
Hello @enj !
Is there any update realted with this?
from secrets-store-csi-driver-provider-azure.
Hello @enj !
Have you had an opportunity to see this by chance?
from secrets-store-csi-driver-provider-azure.
Related Issues (20)
- Secrets Store CSI Driver certificate not refresh after AKV certificate renewal HOT 1
- [Question] How to calculate how many calls are made to KeyVault? HOT 2
- Sync all secrets of a key vault instead of referencing each one separately
- [Question] Understanding how many calls are made to KeyVault? HOT 7
- store whole list of environment variables as bulk key = value pairs converted base 64 string store as secret I want to mount all of encrypted base 64 string to decrypt and for each key value pairs environment variables should mount to the pod
- K8s Secret Not Created HOT 2
- CVE-2023-48795, CVE-2023-3978, CVE-2023-2878 HOT 1
- Do not provide client id in SecretProviderClass
- Backstage (https://backstage.io/) Application Deployment on AKS: Unable to expose Azure key vault secrets as environment variables HOT 3
- Add a flag to configure the default cloud environment
- Scan images CI job failing for `provider-azure-arc-conformance` image
- Usage of an outdated telegraf 1.21 version HOT 3
- [Feature request] Reject input with invisible/zero-width character
- add support for the resource id as userAssignedIdentityID
- Sync certificates without mounting a volume
- Make `hostNetwork` configurable in the helm charts
- Upgrade "csi-secret-store-provider-driver" failed: pre-upgrade hooks failed: * job secrets-store-csi-driver-upgrade-crds failed: BackoffLimitExceeded
- Avoid requesting the same secret more than once
- Remove `adal` dep in the provider
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrets-store-csi-driver-provider-azure.