-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PROPOSAL] Support adding CSI volumes to operator to pull secrets from Key vault #795
Comments
Hi @nilushancosta. |
Hi @swoehrl-mw , I want to be able to use a CSI secrets store volume to create the security:
config:
adminCredentialsSecret:
name: admin-credentials-secret # The secret with the admin credentials for the operator to use
securityConfigSecret:
name: securityconfig-secret # The secret containing your customized securityconfig
tls:
transport:
generate: true
http:
generate: true I initially tried to use the CSI secret store driver through the additionalVolumes of the
To solve this, I could add the following secret provider class and mount the CSI secrets store volume to the operator pod using the proposed fields as follows apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: opensearch
namespace: test
spec:
provider: azure
secretObjects:
- secretName: securityconfig-secret
type: Opaque
data:
- key: internal_users.yml
objectName: SECURITY_CONFIG_INTERNAL_USERS
- secretName: admin-credentials-secret
type: Opaque
data:
- key: username
objectName: USERNAME
- key: password
objectName: PASSWORD
parameters:
keyvaultName: test-kv
tenantId: aaa-bbb
usePodIdentity: "false"
objects: |
array:
- |
objectName: internal-users
objectType: secret
objectAlias: SECURITY_CONFIG_INTERNAL_USERS
objectVersion: 1111
- |
objectName: password
objectType: secret
objectAlias: PASSWORD
objectVersion: 2222
- |
objectName: username
objectType: secret
objectAlias: USERNAME
objectVersion: 3333 extraVolumeMounts:
- name: csi-volume-opensearch-secrets
mountPath: "/mnt/csi-secret-store/opensearch-secrets"
readOnly: true
extraVolumes:
- name: csi-volume-opensearch-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: opensearch
nodePublishSecretRef:
name: azure Then when the operator pod starts, these two secrets will get created. It would be possible to add secrets of all clusters to this secret provider class manifest and they will get created. |
@nilushancosta. To be honest this sounds like quite the hack and not like something the operator should support. |
okay @swoehrl-mw . I will check if there is another way to do this. |
What/Why
What are you proposing?
Provide the capability to add CSI volumes to the operator pod inorder to pull secrets from Azure Key vault.
What users have asked for this feature?
What problems are you trying to solve?
At present, the admin credentials secret has to be created in the cluster before it can be used by the operator. But with this change, this secret can be added to the key vault and the CSI secrets store driver will get the secret from the key vault and create a secret automatically
What is the developer experience going to be?
No REST API changes
Are there any security considerations?
No
Are there any breaking changes to the API
No
What is the user experience going to be?
Users will have 2 new fields they can add to the operator's Helm values file. These can be used to add a CSI secrets store volume.
Are there breaking changes to the User Experience?
No
Why should it be built? Any reason not to?
This will enable users to store the admin credentials secret in a keyvault and use it
What will it take to execute?
The operator's deployment manifest needs to be modified to add the
volumeMounts
field to the container spec and thevolumes
field to the pod specI can contribute this
Any remaining open questions?
No
The text was updated successfully, but these errors were encountered: