Comments (7)
Hi, this should work. For example: If you would create the following Docker secret
kubectl create secret docker-registry registry --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
the corresponding secret in Vault looks like this:
vault secrets enable -path=kvv1 -version=1 kv
vault kv put kvv1/registry .dockerconfigjson='{"auths":{"DOCKER_REGISTRY_SERVER":{"username":"DOCKER_USER","password":"DOCKER_PASSWORD","email":"DOCKER_EMAIL","auth":"RE9DS0VSX1VTRVI6RE9DS0VSX1BBU1NXT1JE"}}}'
This Vault secret can be used with the following CR. The important thing here is to set the spec.type
field to kubernetes.io/dockerconfigjson
.
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: registry
spec:
keys:
- .dockerconfigjson
path: kvv1/registry
type: kubernetes.io/dockerconfigjson
This should also work for a secret that contains a TLS private key and certificate:
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: certificate
spec:
keys:
- tls.crt
- tls.key
path: kvv1/certificate
type: kubernetes.io/tls
This would assume that you have a Vault secret named certificate
with a key tls.crt
and tls.key
containing the certificate and the private key.
from vault-secrets-operator.
Thank you very much! One last question, is there any way of giving the Vault Token from a mounted volume?
Up until now I've been using Vault Agent to do the Auth part and storing the token to be used.
from vault-secrets-operator.
Hi, no problem. The recommended approach for authentication is the Kubernetes Auth Method. Therefor the service account is used for authentication and it is not necessary to store the token.
vault:
address: "http://vault:8200"
authMethod: kubernetes
kubernetesPath: auth/kubernetes
kubernetesRole: vault-secrets-operator
serviceAccount:
create: true
name: vault-secrets-operator
If you want to use the Token Auth Method you can pass the token via secret to the operator.
kubectl create secret generic vault-secrets-operator --from-literal=VAULT_TOKEN=<TOKEN> --from-literal=VAULT_TOKEN_LEASE_DURATION=86400
environmentVars:
- envName: VAULT_TOKEN
secretName: vault-secrets-operator
secretKey: VAULT_TOKEN
- envName: VAULT_TOKEN_LEASE_DURATION
secretName: vault-secrets-operator
secretKey: VAULT_TOKEN_LEASE_DURATION
vault:
address: "http://vault:8200"
authMethod: token
I hope this helps you further.
from vault-secrets-operator.
The authentification workflow with Vault Agent was to actually do the auth (based on a path and some configurations, and store the token in shared mounted volume (where the Vault Agent resides as a initContainer, and the actual syncing application is the main container).
Unfortunately this is a requirement in my case 😢 .
That is why I asked if there is any way of getting the token from a path and not only as an environment variable.
from vault-secrets-operator.
Ah ok, I get it. Maybe we can introduce another environment variable VAULT_TOKEN_PATH
which is used when VAULT_AUTH_METHOD
is token
and VAULT_TOKEN
is empty. Besides that the Helm chart must be adjusted to allow the mounting of a volume.
Would that be an option?
from vault-secrets-operator.
That would be perfect. I think that would also solve any Auth logic for all other paths, if anyone else wants to use Vault Agent way.
from vault-secrets-operator.
@dieser94 if you find the time, maybe you could take a look at the PR #15.
from vault-secrets-operator.
Related Issues (20)
- Use custom email for GCP IAM auth HOT 3
- [Feature] Creating multiple Kubernetes Secrets by list secrets from Vault. HOT 1
- Adding support for more `SecretEngine`s? HOT 1
- Add multi-cluster k8s support? HOT 1
- Install via GitOps way (FluxCD)? HOT 2
- Vault operator init command error with new vault image 1.12.1 HOT 1
- kubernetes auth not working HOT 8
- Recovering from an invalid key in Vault by vault-secrets-operator in VaultSecret object HOT 3
- Future of the project HOT 2
- Image/Release version mismatch HOT 2
- Error in time start pod 'unsupported protocol scheme' HOT 1
- no azure identity found for request clientID HOT 4
- Throw the error that could not update status when delete VaultSecret via foreground cascading deletion HOT 1
- Add support for RabbitMQ secret engine HOT 1
- Security question - bind vaultRole to k8s namespace HOT 1
- Exclude given VaultSecrets HOT 9
- How to force update the generated Secret when the value is changed in Vault? HOT 2
- Metrics not cleaned up after secret removal HOT 1
- error: leader election lost HOT 4
- TLS failed to verify certificate HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-secrets-operator.