-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support more granular Vault Agent and volume configs #115
Comments
Hi @rollerd, We already offer a way of mounting a configuration file via the With this in mind we would probably only have a single annotation, Something like: vault.hashicorp.com/agent-inject: true
vault.hashicorp.com/agent-configmap: myconfigmap
vault.hashicorp.com/agent-extra-secret: mysecret Thoughts? |
Hey @jasonodonnell , Thanks for the quick response! I started digging into this today and came across a few issues. However, unless I'm missing something (like with the agent-configmap) it seems there are some issues:
Thanks in advance for your feedback! |
Created PR #119 that adds an annotation for creating volumes from Kube secrets that get mounted to This works and the only downside at this point is having to create a separate full configmap - complete with custom template - for each service/app that might run. |
Anything I can add/remove/change to get some feedback on the PR referenced above? |
The related PR for this is merged. Closing this out. |
Just wanted to start a conversation and get some input regarding increasing the configure-ability of both the Vault agent and the volumes/paths that get mounted into the pods.
It seems like a large number of the open issues could be resolved if people had a way to modify more fields in the Vault agent config as well as more control over volumes and paths in both the sidecar/init pods and app pods.
My initial foray into this was attempting to add support for other auto-auth methods (specifically approle auth), which required modifying not only the Vault agent config, but also creating volumes from secrets which housed things like roleid and secretid.
From looking at the requirements for the other auto-auth methods, it would seem that a similar way to add either volumes or env vars mounted from kube secrets is needed.
So my question is, how should all that look? @smitthakkar96 I believe rightly pointed out that just throwing a ton more annotations into the mix might not be the best solution.
However, having annotations that contain a bunch of raw json configuration also doesn't seem to be ideal either.
A thought was to have an annotation that could specify an existing kube secret from which to mount a volume/file(s)/env vars into the sidecar/init pods. This handles the case of making credentials available to the vault agent config.
For actually modifying the vault agent config, would passing some fields as key-value pairs in an auto-auth config annotation work?
For example, the only difference in config to make approle auth vs kubernetes auth work is the following:
mount_path already has its own annotation, so could we just use a 'config' annotation with k/v pairs for that section?
I'm happy to put in some work on this, but I wanted to try and get as much input as possible instead of just throwing stuff at the PR wall and hoping something sticks since I'm sure there's a bunch of stuff I'm missing. @jasonodonnell any thoughts on what you'd like to see on this?
TL;DR
would the following annotations cover most of the use cases for configuring vault agent and volumes?
The text was updated successfully, but these errors were encountered: