You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem description
When configuring KES configuration and vault interaction, there is no option to provide a secret to secure the role_id and secret_id as part of the config. As a consequence, vault configuration needs to be in clear in the general values.yaml. In the templates there is a helm/tenant/templates/kes-configuration-secret.yaml which is not possible to skip, and it forces creation of the secret. That way there is not way to use the existing pre-created secret which would be more secure.
Describe the solution you'd like
Trivial solution might be to change the condition of the https://github.com/minio/operator/blob/master/helm/tenant/templates/kes-configuration-secret.yaml
to not create a secret if we provide one. Then we could al kes confiruation to use the existing pre-created secret to be used.
There is already options of existingSecret in tenant configuration, but for KES it's missing.
Additional context
This secret could be pre created, so you don't have to force creation.
The text was updated successfully, but these errors were encountered:
simicivan173
changed the title
Allow kes-configuration to be loaded from secret
Helm chart - Allow kes-configuration (kesSecret) to be loaded from existing secret
Jan 31, 2024
Problem description
When configuring KES configuration and vault interaction, there is no option to provide a secret to secure the role_id and secret_id as part of the config. As a consequence, vault configuration needs to be in clear in the general values.yaml. In the templates there is a helm/tenant/templates/kes-configuration-secret.yaml which is not possible to skip, and it forces creation of the secret. That way there is not way to use the existing pre-created secret which would be more secure.
Describe the solution you'd like
Trivial solution might be to change the condition of the https://github.com/minio/operator/blob/master/helm/tenant/templates/kes-configuration-secret.yaml
to not create a secret if we provide one. Then we could al kes confiruation to use the existing pre-created secret to be used.
There is already options of existingSecret in tenant configuration, but for KES it's missing.
Additional context
This secret could be pre created, so you don't have to force creation.
The text was updated successfully, but these errors were encountered: