Support secret injection with HashiCorp Vault

[simonostendorf]

I would like to see support for HashiCorp Vault. More specifically, the Vault Agent Injector, which can inject secrets from Vault into pods.

To do this, HCCM must either read the HCLOUD_TOKEN from a file or enable the sourcing of a file before startup (so that injecting environment variables via vault is possible, see https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example).

Another solution would be to use the Vault Secrets Operator, which synchronises Vault Secrets with Kubernetes Secrets. However, I think loading on pod startup is better (because it can use the pod service account. This can also be done with the VSO but this requires 2 CRDs for each secret that should be loaded (VaultAuth and VaultStaticSecret))

What do the developers and the community think about this change?

[simonostendorf]

I managed to enable vault secret injection via vault-injector by creating my own helm chart for the hcloud-cloud-controller-manager.

The current helm chart doesn't support command customization (I need to run source /vault/secrets/token before calling the hccm binary).

I also added podLabels and podAnnotations to the chart to add vault.hashicorp.com/agent-inject: 'true' and so on to the pod (and not to all resources that are deployed by the chart).

Maybe these changes can be applied to the upstream (your) chart, but i know that adding customized startup command is very specific and not needed by many users.

Edit: Changes can be seen here: https://github.com/simonostendorf/hetznercloud-hcloud-cloud-controller-manager/tree/feat/custom-labels-annotations-commands

[simonostendorf]

The other option could be reading the HCLOUD_TOKEN from a file, that was placed inside the container from the vault-injector. This would avoid the use of custom source command.

What do you think about this?