stash icon indicating copy to clipboard operation
stash copied to clipboard

Published 20 hours ago • verified publisher icon stashed

support alternative for providing secrets (e.g. username/password to rest server)

Open Josua-SR opened this issue 5 years ago • 3 comments

In search of a backup solution we have come across this project which at first glance seems to fulfill all our wishes. Except for one small part: Using a custom secret storage, i.e. not the Kubernetes API.

Instead we have chosen to use Vault for storing all our critical secrets - especially encryption keys, admin passwords and login credentials to external services.

Feature Request: Please make a way specifying a credentials file as an alternative replace storageSecretName.

To show-case why this is helpful and easy to use, here is an example of how the stash sidecar spec would be annotated for use with Vault (though - really- any other secret provider could be used).

spec:
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "someuser"
    vault.hashicorp.com/agent-inject-secret-credentials: "secret/service"
    vault.hashicorp.com/agent-inject-template-credentials: |
      {{- with secret "secret/service" -}}
      username={{ .Data.username }}
      password={{ .Data.password }}
      {{- end }}
...
  env:
    - name: STORAGE_CREDENTIALS_FILE
      value: "/vault/secrets/credentials"

Josua-SR avatar Jan 16 '20 17:01 Josua-SR

I need to read up on these Vault annotations. Where can I find them to understand it?

Also, is this some Helm chart you are showing? Who renders the vault.hashicorp.com/agent-inject-template-credentials annotations and when?

tamalsaha avatar Jan 18 '20 05:01 tamalsaha

@tamalsaha What I was showing is a plain kubernetes yaml extract. How secrets can be inserted into applications that are not aware of Vault is described in detail in this blog post which I highly recommend reading!

There is a vault injector service that attaches a container to whatever application is annotated for Vault - to run before the annotated application. It fetches the specified secrets, and renders them to files to be made available at the path /vault/secrets/... in the application container.

Josua-SR avatar Jan 20 '20 20:01 Josua-SR

Is there any solution or workaround to provide repository storage secrets from an alternative provider like Vault Hashicorp?

jjduarte avatar Feb 25 '21 17:02 jjduarte