-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SOPS: Add support for HashiCorp Vault token-based authentication #538
Conversation
18665cf
to
7763f50
Compare
@hiddeco I have checked the Azure Vault PR. We should probably make the |
4f64515
to
e1b0f68
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No further comments from me, nice work @souleb 🙇
If implemented, the kustomize controller will be able to retrieve a secret containing a VAULT TOKEN and use it to decrypt the sops encrypted master key. It will then use it to decrypt the data key and finally use the data key to decrypt the final data. Signed-off-by: Soule BA <bah.soule@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @souleb 🏅
fixes #516
If implemented, the kustomize controller will be able to retrieve a secret containing a VAULT TOKEN and use it to decrypt the sops encrypted master key. Which will then be used to decrypt the data key that will decrypt the final data.
The kustomize-controller retrieve the secret specified in the kustomization in the same namespace. We keep the behaviour set by age and pgp decryption.
In case a token does not exist for a HashiCorp vault encrypted token, we fall back to the default server to try decrypting/encrypting the data. This will preserve the behaviour for customer relying on VAULT_TOKEN env var.
Signed-off-by: Soule BA bah.soule@gmail.com