You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
K8ssandra v1.x and K8ssandra-operator only work with Kubernetes secrets as secret provider. This prevents companies using K8ssandra if their security policy doesn’t allow usage of Kubernetes secrets.
We would need to provide an API that has the following characteristics:
Secrets should be injectable into pods directly, without requiring access from the operators
Secrets providers should be pluggable without requiring implementation specific code in K8ssandra-operator or cass-operator (generic external provider)
It should be possible to add providers at runtime
Secrets should be mounted in a common way so that the operator can perform validation checks using a validation webhook
Management of default secrets should be disabled when using an external provider
Design
This proposal leverages dynamic admission control to allow extension at runtime, without recompiling or redeploying K8ssandra-operator.
This design is widely inspired by the Hashicorp Vault agent which uses the same technique for secrets injection at runtime.
Background
K8ssandra v1.x and K8ssandra-operator only work with Kubernetes secrets as secret provider. This prevents companies using K8ssandra if their security policy doesn’t allow usage of Kubernetes secrets.
We would need to provide an API that has the following characteristics:
Design
This proposal leverages dynamic admission control to allow extension at runtime, without recompiling or redeploying K8ssandra-operator.
This design is widely inspired by the Hashicorp Vault agent which uses the same technique for secrets injection at runtime.
┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: K8OP-183
The text was updated successfully, but these errors were encountered: