keda
keda copied to clipboard
Add support for Hashicorp Vault Transit
Proposal
KEDA Auth supports Hashicorp vault as secret backend but only stores plaintext password in KV v2.
Suggestion to add 1 more parameter to allow the credentials to be encrypted.
hashiCorpVault: # Optional.
address: {hashicorp-vault-address} # Required.
namespace: {hashicorp-vault-namespace} # Optional. Default is root namespace. Useful for Vault Enterprise
authentication: token | kubernetes # Required.
role: {hashicorp-vault-role} # Optional.
mount: {hashicorp-vault-mount} # Optional.
+ transitKey: {hashicorp-vault-transit-key-name} # If null, skip decryption.
credential: # Optional.
token: {hashicorp-vault-token} # Optional.
serviceAccount: {path-to-service-account-file} # Optional.
secrets: # Required.
- parameter: {scaledObject-parameter-name} # Required.
key: {hasicorp-vault-secret-key-name} # Required.
path: {hasicorp-vault-secret-path} # Required.
Use-Case
Our security team has a policy where we're not allowed to store plaintext password in Hashicorp Vault. It has to be in encrypted value.
Anything else?
No response
Hey @Axory , I'm checking Hashicorp Vault Transit and it seems like encryption as a service more than storing values encrypted. If I'm not wrong, the flow in case of encrypted secrets will be:
- Request the value (like right now)
- Do an extra request to the Vault Transit service passing the value from step 1 and the key
- Use the return from Transit service
Right? It's an interesting service :) Are you willing to contribute with this?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.