0

About to start using Vault. as far as i can see for distribution of secrets we have:

  • Vault Sidecar injector - able to write secrets to a k8s volume.
  • bansaiCloud bank-vaults mutating webhook - inject vault secrets as environment variables

How are people handling the retrofitting of existing helm chart templates (e.g. elasticsearch) to reference the vault/banzai secrets?

It would be quite annoying to have to pull the parent chart and cut out the secrets-based logic and replacing it with file-based on env-based logic. And then do that every time i upgrade the helm chart.

Is there a way to maybe override helm templates that works?

(using k3s cluster)

g0pher
  • 59
  • 8
  • Its somewhat opinionated. If you want to mount secrets from a secrets object, you could just tell your helm chart the secret name and let it mount that secret. No need to cut anything in a chart. – The Fool Dec 06 '21 at 11:32
  • not sure i understand what you mean here. The whole idea of Hashicorp Vault is that you dont use kubernetes secrets. kubernetes secrets are just base64 encoded objects sitting in the (maybe) at-rest encrypted etcd database. Hashicorp Vault encrypts the secrets all the way to placement in the container at startup. – g0pher Dec 06 '21 at 20:26
  • So why don't you do that? You just need to tell your app to look for the environment variables. This is completely unrelated to helm, then. I understood the way you wrote it, that you want to mount secrets as a volume *...able to write secrets to a k8s volume.* – The Fool Dec 06 '21 at 21:28
  • Which version of Kubernetes did you use and how did you set up the cluster? – Mikołaj Głodziak Dec 07 '21 at 11:00
  • All Vault solutions out there for k8s mount Vault secrets as normal Kubernetes secrets afaik i.e. the base64 encoded ones. If you don't want that, you'll have to use Vault at an application level. – Mohamed Sohail Dec 08 '21 at 10:30
  • afaik all HashiCorp vault solutions mount the secrets not as Kubernetes Secrets but as a file on a Kubernetes volume. (k8s setup details added to original question) – g0pher Dec 09 '21 at 12:31
  • Please add setup reproductions steps: which version of Kubernetes did you use and how exactly did you set up your cluster. Please also paste your yaml files. – Mikołaj Głodziak Dec 10 '21 at 14:21

0 Answers0