Vault config sensitive information

[kg-scality]

Hello,

To my understanding of the chart, vault is loading its config file from a hard coded path that is managed by the chart from a ConfigMap.

From this assessment I failed to understand how I can protect sensitive information that might be needed in vault's configuration. In my case I have an SQL database as a storage backend, meaning I have to store a password in the configuration.

Is my assessment correct ? If it is, I suggest multiple opportunities for improvement in the chart:

• put the entire vault configuration in a kubernetes secret, optionally or not
• enable the editing of vault's command line so that it could be told to launch additional config files
• provide a different way to generate the configuration file

Thanks in advance for your time.

[jasonodonnell]

Hi @kg-scality, which database are you using for storage?

[kg-scality]

I'm using a MySQL database.

[jasonodonnell]

@kg-scality, most database storage drivers allow environment variables to be set for configuration, but it would appear that MySQL doesn't.

On the Vault side we can add support for a MYSQL_PASSWORD env and on the Vault Helm side we can add extraArgs to pass additional config flags to the server command. Using extraArgs along with extraVolumes that already exists, you would be able to define additional configuration files (stored in a secret) to load with Vault. Would this help?

Since we're rendering a Vault configuration file, it's not as easy as flipping the ConfigMap to be a secret, unfortunately.

[kg-scality]

Yes, I definitely think both solutions would help.

[kg-scality]

I confirm it works for my setup.
Thanks.