aws
Secret management in EKS Anywhere
Currently, EKS Anywhere uses secrets in many places. The Bare metal provider has BMC credentials in the hardware.csv file, vSphere provider has vSphere credentials in the cluster config yaml file, all providers can specify registry credentials in the cluster config yaml file, etc. All of these are stored in clear text. While some of these can be defined via environment variables, not all of them can. And while specifying secrets in environment variables is arguably better than storing them in files neither is an ideal security posture.
Important to note is that once these secrets are consumed by eksctl anywhere they are all stored as proper Kubernetes secrets. Again, not the most ideal security posture as Kubernetes secrets are just base64 encoded strings. Kubernetes itself recommends, among other things, to "Consider using external Secret store providers".
This issue is to request new functionality. Allow providing secrets to EKS Anywhere that aren't stored in config files in plain text. To be clear this is not a specific ask to make external secret store providers available per se. This ticket is to capture "what" is wanted, not "how" it is accomplished.
Last important note is that recent potential customers have made it know that Hashicorp Vault is available in their environments and would be ideal for use.
This could be an interesting option to consider. It could allow us to support many existing secret store providers.
https://github.com/external-secrets/external-secrets
Or we can implement https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
At rest encryption solves part of the problem, but I would imagine customers want integration with their preferred secret management solution for compliance and centralized management, and features like rotation and ad-hoc credential creation that you don't get with Kubernetes secrets.
Having a list of secret management tools our user base uses, and the features sets they leverage, would be helpful.
