How to pass a Secret in Vault to imagePullSecrets to access an image in private registry in Kubernetes

Question

I created a Secret in Vault in Kubernetes instead of using K8s API. And would like to use the Secret in Vault to pull images from a private registry. I am unable to find a way to do so. The following is the example code, assuming I used all the labels for Vault access by the Deployment.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app-exporter
  namespace: monitoring
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-app-exporter
  template:
    metadata:
      labels:
        app: test-app-exporter
    spec:
      containers:
      - name: test-app-exporter
        image: index.docker.io/xxxxx/test-app-exporter:3
        imagePullPolicy: Always
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - name: http
          containerPort: 5000
      imagePullSecrets:
        - name: [myregistrykey--Secret From Vault]

Answer 1

You can use the external secret or write a custom CRD solution also which ideally should sync or copy the secret from the vault to the Kubernetes secret.

Option: 1

You have multiple options to use External Secret

steps for external secret

• helm repo add external-secrets
• helm install k8s-external-secrets external-secrets/kubernetes-external-secrets

Example ref

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
 name: imagepull-secret
 namespace: default
spec:
 kvVersion: 1
 backendType: vault
 vaultMountPoint: kubernetes
 vaultRole: user-role
 data:
 - name: IMAGE_PULL
 ...

Option : 2

i have used this CRD personally and easy way to integrate Vault-CRD

Installation guide & Dockercfg

• Create a secret in vault first
• Create vault-crd YAML file

Example

apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
  name: image-secret
spec:
  path: "secret/docker-hub"
  type: "DOCKERCFG"

• Apply YAML file to the cluster

it will fetch the secret from vault and create new secret in Kubernetes and you can directly use that secret to Deployment

Answer 2

Try using https://kubernetes.io/docs/tasks/kubelet-credential-provider/kubelet-credential-provider/ so kubelet can run vault executable to get the image pull credentials and kubelet/container runtime can pull the image using the credentials

Answer 3

I had the same issue. You can use an external secret with the External Secret Operator, more info here.

If you create a external secret, you can reference the kubernetes secret in imagePullSecrets, but the actual value will be stored in vault, and synced. I found this links very useful:

• this one about the creation of a external secret linked with Vault https://www.digitalocean.com/community/tutorials/how-to-access-vault-secrets-inside-of-kubernetes-using-external-secrets-operator-eso

• this one about the configuration of the secret as a dockerconfigjson secret type https://external-secrets.io/v0.7.1/guides/common-k8s-secret-types/#dockerconfigjson-example