DEVHIDE
Login Or Sign up

Vault-agent-injector get role-id and secret-id

52 Views Asked by At

Question: Automating the acquisition of secret-id for AppRole using Vault-agent-injector in Kubernetes

Goal:

My task is to set up an automatic process for obtaining secret-id for AppRole in a Kubernetes environment. To achieve this, I plan to utilize Vault capabilities in conjunction with the Vault-agent-injector mechanism. Currently, the agent-injector configuration is implemented to inject secrets directly into the environment variables of applications.

Issue:

It is necessary to develop a solution for automatically obtaining a new secret-id for the specific role devtest at the moment of deploying services through Kubernetes Deployment. The main task is to ensure that services, after their authorization using the AppRole mechanism, can securely access the required secrets. An important aspect is the use of one-time secret-id, which will enhance security and ensure isolation of secrets between different instances of the service.

Background:

In the current process, the following command in Vault is used to generate secret-id:

bash

vault write -f auth/approle/role/devtest/secret-id

The main question is the possibility of integrating and automating this process in the context of deploying services using Kubernetes Deployment and Vault-agent-injector.

Example of Deployment configuration:

yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-test-service
  ...
      annotations:
        vault.hashicorp.com/agent-pre-populate-only: 'true'
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/role: 'test-app'
        vault.hashicorp.com/agent-inject-template-.venv: |
          {{- with secret "test/data/database/postgres" -}}
            {{- range $k, $v := .Data.data }}
              export {{$k}}={{$v}}
            {{- end }}
          {{- end }}
  ...       
      containers:
          ...
          args:
              [ 'source /vault/secrets/.venv && rm -rf /vault/secrets/.venv && /app' ]
          ...

Additional context:

The implementation of reading secrets directly in the service using AppRole authorization is already done. The goal is to ensure the uniqueness of secret-id for each new instance of the service at its deployment, thereby improving security and managing access to secrets.

go kubernetes vault
Original Q&A
0

There are 0 best solutions below

Related Questions in GO

Related Questions in KUBERNETES

Related Questions in VAULT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.