[Feature request] Multiple types of secrets about vault-secrets-operator HOT 7 CLOSED

Hi, this should work. For example: If you would create the following Docker secret

kubectl create secret docker-registry registry --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

the corresponding secret in Vault looks like this:

vault secrets enable -path=kvv1 -version=1 kv

vault kv put kvv1/registry .dockerconfigjson='{"auths":{"DOCKER_REGISTRY_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}'

This Vault secret can be used with the following CR. The important thing here is to set the spec.type field to kubernetes.io/dockerconfigjson.

apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
  name: registry
spec:
  keys:
    - .dockerconfigjson
  path: kvv1/registry
  type: kubernetes.io/dockerconfigjson

This should also work for a secret that contains a TLS private key and certificate:

apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
  name: certificate
spec:
  keys:
    - tls.crt
    - tls.key
  path: kvv1/certificate
  type: kubernetes.io/tls

This would assume that you have a Vault secret named certificate with a key tls.crt and tls.key containing the certificate and the private key.

from vault-secrets-operator.

Thank you very much! One last question, is there any way of giving the Vault Token from a mounted volume?
Up until now I've been using Vault Agent to do the Auth part and storing the token to be used.

from vault-secrets-operator.

Hi, no problem. The recommended approach for authentication is the Kubernetes Auth Method. Therefor the service account is used for authentication and it is not necessary to store the token.

vault:
  address: "http://vault:8200"
  authMethod: kubernetes
  kubernetesPath: auth/kubernetes
  kubernetesRole: vault-secrets-operator

serviceAccount:
  create: true
  name: vault-secrets-operator

If you want to use the Token Auth Method you can pass the token via secret to the operator.

kubectl create secret generic vault-secrets-operator --from-literal=VAULT_TOKEN=<TOKEN> --from-literal=VAULT_TOKEN_LEASE_DURATION=86400

environmentVars:
  - envName: VAULT_TOKEN
    secretName: vault-secrets-operator
    secretKey: VAULT_TOKEN
  - envName: VAULT_TOKEN_LEASE_DURATION
    secretName: vault-secrets-operator
    secretKey: VAULT_TOKEN_LEASE_DURATION

vault:
  address: "http://vault:8200"
  authMethod: token

I hope this helps you further.

from vault-secrets-operator.

The authentification workflow with Vault Agent was to actually do the auth (based on a path and some configurations, and store the token in shared mounted volume (where the Vault Agent resides as a initContainer, and the actual syncing application is the main container).

Unfortunately this is a requirement in my case 😢 .
That is why I asked if there is any way of getting the token from a path and not only as an environment variable.

from vault-secrets-operator.

Ah ok, I get it. Maybe we can introduce another environment variable VAULT_TOKEN_PATH which is used when VAULT_AUTH_METHOD is token and VAULT_TOKEN is empty. Besides that the Helm chart must be adjusted to allow the mounting of a volume.

Would that be an option?

from vault-secrets-operator.

That would be perfect. I think that would also solve any Auth logic for all other paths, if anyone else wants to use Vault Agent way.

from vault-secrets-operator.

@dieser94 if you find the time, maybe you could take a look at the PR #15.

from vault-secrets-operator.