You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
In our current setup, our K8s platform customers use https://github.com/postfinance/vault-kubernetes to sync Secrets from Vault OSS into their desired Kubernetes namespace.
Our Vault is fully configured via Terraform. The k8s integration is done via Kubernetes Auth method on namespace basis (a Vault role per K8s namespace). In detail, we have this structure:
This module then installs multiple config resources inside Vault:
######################### Configure Vault to talk to Kubernetes########################resource"vault_auth_backend""kubernetes" {
type ="kubernetes"
path ="k8s-${var.cluster_name}"
description ="kubernetes auth for cluster ${var.cluster_name}"
}
resource"vault_kubernetes_auth_backend_config""kubernetes" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host =var.kubernetes_host
kubernetes_ca_cert =var.kubernetes_ca_cert
token_reviewer_jwt =var.reviewer_jwt
disable_iss_validation =var.disable_iss_validation
}
######################### K8s Namespace to Policy mapping########################resource"vault_kubernetes_auth_backend_role""vault_sync" {
for_each =var.namespaces
backend = vault_auth_backend.kubernetes.path
role_name ="vault-sync-${each.key}"# <-- see here
bound_service_account_names = ["vault-sync*"]
bound_service_account_namespaces = [each.key] # <-- here
token_policies = ["k8s-${var.cluster_name}-${each.key}-read"] # <-- and here
}
######################### Read policies per Namespace########################data"vault_policy_document""k8s-policies" {
for_each =var.namespacesrule {
path ="${each.value.secret_engine}/data/${each.value.secret_path}"
capabilities = ["read"]
}
rule {
path ="${each.value.secret_engine}/metadata/${each.value.secret_path}"
capabilities = ["list"]
}
rule {
path ="sys/mounts"
capabilities = ["read"]
}
}
resource"vault_policy""k8s-policies" {
for_each =var.namespaces
name ="k8s-${var.cluster_name}-${each.key}-read"
policy =data.vault_policy_document.k8s-policies[each.key].hcl
}
So in practice we have:
1 vault_auth_backend per cluster
1 vault_kubernetes_auth_backend_config per cluster
N vault_policy per cluster (1 per namespace)
N vault_kubernetes_auth_backend_role per cluster (1 per namespace)
Describe the solution you'd like
It would be nice to share both
the vault default Connection
the vault default Auth (Kubernetes Auth)
with all customer namespaces, so they only need to define the VaultStaticSecret etc. :
apiVersion: secrets.hashicorp.com/v1beta1kind: VaultAuthmetadata:
name: defaultnamespace: vault-secrets-operator # <-- sits in the VSO namespacespec:
method: kubernetes # same as tool from PFmount: {{ printf "k8s-%s" .Values.clusterName }}kubernetes:
role: vault-sync-vsoserviceAccount: vault-sync-vso
---
apiVersion: secrets.hashicorp.com/v1beta1kind: VaultConnectionmetadata:
name: defaultnamespace: vault-secrets-operator # <-- sits in the VSO namespacespec:
address: https://vault.example.comcaCertSecretRef: vault-ca
Describe alternatives you've considered
Only sharing the kind: VaultConnection with all namespaces and let our platform customers define the kind: VaultAuth in each namespace.
Additional context
I did a short PoC without spending too much time on the golang code which worked:
Is your feature request related to a problem? Please describe.
In our current setup, our K8s platform customers use https://github.com/postfinance/vault-kubernetes to sync Secrets from Vault OSS into their desired Kubernetes namespace.
Our Vault is fully configured via Terraform. The k8s integration is done via Kubernetes Auth method on namespace basis (a Vault role per K8s namespace). In detail, we have this structure:
This module then installs multiple config resources inside Vault:
So in practice we have:
Describe the solution you'd like
It would be nice to share both
with all customer namespaces, so they only need to define the
VaultStaticSecret
etc. :Describe alternatives you've considered
Only sharing the
kind: VaultConnection
with all namespaces and let our platform customers define thekind: VaultAuth
in each namespace.Additional context
I did a short PoC without spending too much time on the golang code which worked:
Is this a valable approach? If so, I could invest some more time to make it configurable.
Maybe somehow related:
The text was updated successfully, but these errors were encountered: