Support secret templating #135
Comments
|
Thanks for your valuable feedback @nimjor! Adding template support is definitely a feature we are considering in the near future. |
|
Whoa! I didn't realize ExternalSecret resources could do that! That's awesome! Seems to add support to the proposal from #120 |
|
This feature is already present under https://github.com/ricoberger/vault-secrets-operator#using-templated-secrets I have been using the above operator and it works really well. Would be nice to have this feature. |
|
Seconding this. Until this operator has templating, it's use cases are going to be severely narrowed. |
|
Hey @benashz, do you have any updates to share? Specifically around VSO supporting |
|
Hi @BOsterbuhr - adding templating support is on our upcoming roadmap, we will have more updates on that coming soon. Right now we support the built-in types that Kubernetes automatically templates. As far as supporting Here is an example which uses a KV secret to do the same, I've been meaning to put this into a public document.. if it doesnt work feel free to open a separate issue because it should: apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
namespace: awesomeapps
name: foo
spec:
type: kv-v2
mount: kvv2
path: docker/config
# dest k8s secret
destination:
name: myregistryKey # <-- this is your imagePullSecret name
create: true
type: "kubernetes.io/dockerconfigjson"
---
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: awesomeapps
spec:
containers:
- name: foo
image: janedoe/awesomeapp:v1
imagePullSecrets:
- name: myregistrykey# Example vault command to load the dockerconfig into a kv:
vault kv put kvv2/docker/config .dockerconfigjson=`cat ~/.docker/config.json` |
|
Hey @kschoche! Our team has verified that this works - thank you so much! |
|
Awesome that we can do it through External Secrets. But it would be cool if the VSO could natively do it. I also dropped a plug in the Vault CSI Provider that the Vault functions of |
Excellent that there's a workaround for this case, however this wouldn't be a workable solution for me. I've found it a lot easier to maintain secrets by only including the credentials and not the formatting in the KV store. In other words, just username and password in the KV secret, then use Vault Agent (or VSO, External Secrets, ...) to format it for the specific needs of that use case (e.g., dockerconfig). This approach is especially applicable if the same credential is needed in multiple formats, such as with Artifactory supporting auth for Maven, Docker, pip, and other protocols. For now, we'll need to stick with our Vault Agent approach but consider this a +1 for templating in VSO. |
|
We are also using vault agent approach, using my "vault-gcp-secrets" helm chart (which is just vault agent plus kubectl). I am going to have to try your template formatting above to maybe remove the need to run "kubectl" to format the dockerconfigjson secret. GCP puts an entire JSON formatted file as the password field, and I didn't want to try to figure out how to get all the proper escaping in. So I just use "template_command" like: kubectl create secret docker-registry "{{ .Values.secret.name }}" \
--docker-server "{{ .Values.secret.dockerServer }}" \
--docker-username "{{ .Values.secret.dockerUsername }}" \
--docker-email "{{ .Values.secret.dockerEmail }}" \
--docker-password "$(cat /dev/shm/key.json)" \
--dry-run=client -o yaml | kubectl replace -f -... with all the non-secret values coming from the helm chart |
|
What is the status of this enhancement? Any timeline for when this will be completed? |
As we need to rotate the password periodically, this doesn't work out when trying to make things work with https://github.com/hashicorp/vault-action and referencing just the password using the plain kv format. You need to fetch the entire config and go through it. We are thus looking into using https://external-secrets.io/latest/ which has templating support. Could you (@benashz) please let me know, if the templating feature will be getting released anytime soon, so we wait? |
|
Hi @imranzunzani, thank you for your interest in VSO. We are currently planning to release the secret transformation support (templating) in v0.5.0. We are targeting end of February as a release date. |
|
Added some VSO secret transformation examples that would be compatible for the K8s secret type |
Is your feature request related to a problem? Please describe.
To really be practical and cover most potential use cases, the VaultStaticSecret and VaultDynamicSecret types should allow templating based on the values retrieved from Vault.
Describe the solution you'd like
We should be able to use Go templating or Consul Template, similar to what can be done using the Vault agent annotations. For example, I want to be able to use the Artifactory Vault dynamic secrets plugin/engine to generate temporary Artifactory credentials that can be injected into a
kubernetes.io/dockerconfigjsonsecret to use for container image pull secrets.Describe alternatives you've considered
I can already do as described above using
external-secrets.ioAdditional context
How this is done with external-secrets:
The text was updated successfully, but these errors were encountered: