Support secret injection with HashiCorp Vault #595
Comments
|
I managed to enable vault secret injection via vault-injector by creating my own helm chart for the hcloud-cloud-controller-manager. The current helm chart doesn't support command customization (I need to run I also added Maybe these changes can be applied to the upstream (your) chart, but i know that adding customized startup command is very specific and not needed by many users. Edit: Changes can be seen here: https://github.com/simonostendorf/hetznercloud-hcloud-cloud-controller-manager/tree/feat/custom-labels-annotations-commands |
|
The other option could be reading the What do you think about this? |
This allows the `HCLOUD_TOKEN` (and `ROBOT_USER` and `ROBOT_PASSWORD`)
to be read from a file. This can be useful if the token is injected
using secret injection (e.g. with the vault agent injector).
If someone is interested in using this with the vault agent injector,
I used the following helm values:
```yaml
image:
repository: <custom-image-because-changes-are-not-released>
tag: <custom-image-because-changes-are-not-released>
podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/log-format: json
vault.hashicorp.com/role: <your-vault-role-name>
vault.hashicorp.com/secret-volume-path-token: /vault/secrets
vault.hashicorp.com/agent-inject-file-token: token
vault.hashicorp.com/agent-inject-secret-token: <your-vault-mount>/data/<your-vault-path>
vault.hashicorp.com/agent-inject-template-token: |
{{ with secret "<your-vault-mount>/data/<your-vault-path>" -}}
{{ .Data.data.token }}
{{- end }}
env:
HCLOUD_TOKEN_FILE:
value: "/vault/secrets/token"
HCLOUD_TOKEN: null # must be set because helm results in using value and valueFrom and that results in an error
```
This change is inspired from [external-dns cloudflare
provider](https://github.com/kubernetes-sigs/external-dns/blob/master/provider/cloudflare/cloudflare.go#L171).
I requested the same change for the
[csi-driver](hetznercloud/csi-driver#617) to
keep consistency in reading HCLOUD_TOKEN from file.
Closes #595
---------
Co-authored-by: Jonas L. <jooola@users.noreply.github.com>
Co-authored-by: Julian Tölle <julian.toelle@hetzner-cloud.de>
I would like to see support for HashiCorp Vault.
More specifically, the Vault Agent Injector, which can inject secrets from Vault into pods.
To do this, HCCM must either read the HCLOUD_TOKEN from a file or enable the sourcing of a file before startup (so that injecting environment variables via vault is possible, see https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example).
Another solution would be to use the Vault Secrets Operator, which synchronises Vault Secrets with Kubernetes Secrets. However, I think loading on pod startup is better (because it can use the pod service account. This can also be done with the VSO but this requires 2 CRDs for each secret that should be loaded (
VaultAuthandVaultStaticSecret))What do the developers and the community think about this change?
The text was updated successfully, but these errors were encountered: