You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Another solution would be to use the Vault Secrets Operator, which synchronises Vault Secrets with Kubernetes Secrets. However, I think loading on pod startup is better (because it can use the pod service account. This can also be done with the VSO but this requires 2 CRDs for each secret that should be loaded (VaultAuth and VaultStaticSecret))
What do the developers and the community think about this change?
The text was updated successfully, but these errors were encountered:
I managed to enable vault secret injection via vault-injector by creating my own helm chart for the hcloud-cloud-controller-manager.
The current helm chart doesn't support command customization (I need to run source /vault/secrets/token before calling the hccm binary).
I also added podLabels and podAnnotations to the chart to add vault.hashicorp.com/agent-inject: 'true' and so on to the pod (and not to all resources that are deployed by the chart).
Maybe these changes can be applied to the upstream (your) chart, but i know that adding customized startup command is very specific and not needed by many users.
The other option could be reading the HCLOUD_TOKEN from a file, that was placed inside the container from the vault-injector. This would avoid the use of custom source command.
I would like to see support for HashiCorp Vault.
More specifically, the Vault Agent Injector, which can inject secrets from Vault into pods.
To do this, HCCM must either read the HCLOUD_TOKEN from a file or enable the sourcing of a file before startup (so that injecting environment variables via vault is possible, see https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#environment-variable-example).
Another solution would be to use the Vault Secrets Operator, which synchronises Vault Secrets with Kubernetes Secrets. However, I think loading on pod startup is better (because it can use the pod service account. This can also be done with the VSO but this requires 2 CRDs for each secret that should be loaded (
VaultAuth
andVaultStaticSecret
))What do the developers and the community think about this change?
The text was updated successfully, but these errors were encountered: