vault-operator icon indicating copy to clipboard operation
vault-operator copied to clipboard

Published 20 hours ago verified publisher icon bank-vaults

Allow passing an array to `credentialsConfig`

Open Sinjo opened this issue 2 years ago • 2 comments

Problem

Currently, it's not possible to configure multiple sets of credentials with credentialsConfig, as it only accepts an object, such as:

credentialsConfig:
  env: AWS_SHARED_CREDENTIALS_FILE
  path: /etc/aws/credentials
  secretName: aws-credentials

In most circumstances this isn't an issue as the vast majority of users will only have instances in a single cloud authenticating with vault.

Where it becomes a little painful is when you have instances in multiple clouds and want to authenticate them with Vault using IAM plugins. For example, if you're using both AWS and GCP IAM-based auth, Vault needs credentials for both cloud providers in order to verify the authentication requests sent by instances.

Proposed solution

Ideally, the CRD would allow an array to be provided in credentialsConfig, like this:

credentialsConfig:
  - env: AWS_SHARED_CREDENTIALS_FILE
    path: /etc/aws/credentials
    secretName: aws-credentials
  - env: GOOGLE_APPLICATION_CREDENTIALS
    path: /etc/gcp/credentials.json
    secretName: gcp-credentials

For backwards compatibility, it could still allow a single object to be passed in.

Alternatives (current workaround)

To get around this, we're currently using a mixture of volumes, volumeMounts and vaultEnvsConfig:

volumes:
  - name: gcp-credentials
    secret:
      secretName: gcp-credentials

volumeMounts:
  - name: gcp-credentials
    mountPath: /etc/gcp

  vaultEnvsConfig:
    - name: GOOGLE_APPLICATION_CREDENTIALS
      value: /etc/gcp/credentials.json

This does the job, and isn't too bad, but is slightly less convenient and was a little harder to discover.

Additional context

I realise this is only relevant for people with instances in multiple clouds, so probably not the highest priority. If you think it's a good idea I'm happy to have a go at adding it. Would appreciate a pointer towards the right place to edit and then run any codegen for the CRDs if so!

Sinjo avatar Mar 23 '22 17:03 Sinjo

unfortunately, provided workaround does not mount volumes to configurer pod, I'll try to take a look on array implementation after I finish with kvv2 check-and-set

avoidik avatar Mar 31 '22 09:03 avoidik

This is still low priority so we are not sure if we will actually end up working on it. If someone from the community would like to give it a go, it should be fairly simple to get started and we can provide any help needed to get it done.

ramizpolic avatar Jun 11 '24 09:06 ramizpolic