Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Injection secrets as ENV vars? #14

Open
riuvshyn opened this issue Dec 20, 2019 · 3 comments
Open

Injection secrets as ENV vars? #14

riuvshyn opened this issue Dec 20, 2019 · 3 comments

Comments

@riuvshyn
Copy link

@riuvshyn riuvshyn commented Dec 20, 2019

Hello and thanks for the great tool, now we can use official one instead of homegrown/3rd party tools :)

In reality, most services expect secrets as ENV vars since we all started from general k8s secrets :) and now they can avoid of making them self Vault aware but still they need to add logic to pick up secrets from FS which makes it especially challenging if you have hundreds of different services/teams and you expect them to add this functionality first...
Injection secrets with 3rd party tools via sidecars wasn't helpful here because we have only 1 way to pass the secret to the app via shared volume.

So maybe with more native k8s integration we could have a chance to inject secrets as ENV vars?

@povils

This comment has been minimized.

Copy link

@povils povils commented Dec 20, 2019

Yeah it would be wonderful to have an option of how we want to inject these variables. Specially when you are running apps where you have no control of them and they are using envs. This is how Banzai bank-vaults solves env injection: https://banzaicloud.com/blog/inject-secrets-into-pods-vault-revisited/

Of course secret rotation with envs would be tricky

@riuvshyn

This comment has been minimized.

Copy link
Author

@riuvshyn riuvshyn commented Dec 20, 2019

@povils yeah exactly! I didn't want to mention banzai but this is exactly what I was had in mind:

env:
- name: AWS_SECRET_ACCESS_KEY
  value: "vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY"
@jasonodonnell

This comment has been minimized.

Copy link
Contributor

@jasonodonnell jasonodonnell commented Dec 22, 2019

Vault Agent currently doesn't support something this, so it's unlikely this kind of feature would be available for some time. We can definitely see the value in supporting environment variables and hope to support it some day, if we can figure out a way that:

  • Doesn't expose secrets in pod metadata
  • the injector doesn't fetch secrets for the pod - having a service that impersonates an application is a security concern
  • Doesn't mutate the original pod containers beyond mounting a volume.

One idea is to generate an envrc file, put it in the secret mount and have the user modify their container or entrypoint to source the file at startup.

Open to ideas here!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.