-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support to get secrets from Vault #3267
Comments
I am trying to do now exactly the same and looking for a way to load secrets from vault injector. the problem is that I cannot bypass the argo-secret |
The core team does not use Vault, so we can't really advise on this. Have you asked in Slack? |
@yokiworks , @alexec I figured out the kaniko part, as kaniko just expects the docker config to be present at /kaniko/.docker/config.json For the git input artifact since a kubernetes secret is expected as input, I am not sure how to bypass it. Can the git credentials be read from a mounted volume? |
Thanks for the pointer, I will post in slack. |
@yokiworks @ramanNarasimhan77 my team is using https://github.com/godaddy/kubernetes-external-secrets for the use case you are describing. Blog post: https://www.godaddy.com/engineering/2019/04/16/kubernetes-external-secrets/ |
Thanks! This is how we solve it also for now... but it is less secure I guess than having the secret injected into the argo pod bypassing the k8s secret |
@yokiworks High level vault setup stepsBased on https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/
For git stepWe cannot use argo's git input artifact as in the example since this needs us to supply k8s secret. Using vault we can mount files to the pod filesystem. So to use https to clone, we could enable git creds store and mount the credentials to For this purpose configure a secret in vault say secret/gitcreds with key as gitcreds and save the value as Below we are mounting appuser's gitcredentials to
- name: get-source-code-https
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-.git-credentials: "secret/gitcreds"
vault.hashicorp.com/secret-volume-path: "/home/appuser"
vault.hashicorp.com/role: "app-user"
vault.hashicorp.com/agent-inject-template-.git-credentials: |
{{- with secret "secret/gitcreds" -}}
{{ .Data.data.gitcreds }}
{{- end }} Similarly if we want to clone using ssh, we could put the ssh key into vault and mount to ~/.ssh/id_rsa For the kaniko stepKaniko requires the docker config to be present at /kaniko/.docker/config.json Following annotations inject the secret at /kaniko/.docker/config.json metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-config.json: "secret/dockerconfig"
vault.hashicorp.com/secret-volume-path: "/kaniko/.docker"
vault.hashicorp.com/role: "app-user"
vault.hashicorp.com/agent-inject-template-config.json: |
{{- with secret "secret/dockerconfig" -}}
{{ .Data.data.dockerconfig }}
{{- end }} |
Thank you @ramanNarasimhan77 this is really neat! |
Summary
Is it possible to inject secrets from a secure vault like Hashicorp Vault instead of getting them from a Kubernetes secret?
Eg:
SCENARIO 1 :
I am currently defining input git artifact used to clone the repo and copy to a PV as shown below. Here I am using k8s secret to get the git username and password
SCENARIO 2: Docker config for Kaniko builds
The current configuration that I am using is shown below:
Define volume docker-config that reads docker config json from k8s secret docker-registry
kaniko build step that uses docker-config volume
Motivation
To improve application security, we are working on moving all our credentials to Hashicorp Vault. Vault supports injecting secrets either through an init container / sidecar / using Container Storage Interface (CSI) plugin
References:
The text was updated successfully, but these errors were encountered: