Reputation: 4579
Using TLS secret in ingress from hashicorp vault directly
How can I retrieve a tls (ssl certificate) secret from hashicorp vault into ingress?
I have deployed a microservices in kubernetes (openstack) with ingress nginx and hashicorp vault. The tls keys are stored in hashicorp vault. I have created a secretproviderclass:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: sslspc
spec:
provider: vault
secretObjects:
- secretName: sslspc
data:
- key: "tls.key"
objectName: TLSKey
- key: "tls.crt"
objectName: TLSCert
type: kubernetes.io/tls
parameters:
vaultAddress: http://vault.vault:8200
roleName: "approle"
objects: |
- objectName: TLSKey
secretPath: "secret/data/myssl"
secretKey: "tls.key"
- objectName: TLSCert
secretPath: "secret/data/myssl"
secretKey: "tls.crt"
but can't use it directly in ingress. I have to create a pod which is creating a volume and map it to an environment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: depssl
labels:
app: appbusy
spec:
replicas: 1
selector:
matchLabels:
app: appbusy
template:
metadata:
labels:
app: appbusy
spec:
serviceAccountName: mysa
containers:
- name: appbusy
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "while true; do sleep 300;done"]
env:
- name: TLS.KEY
valueFrom:
secretKeyRef:
name: sslspc
key: tls.key
- name: TLS.CRT
valueFrom:
secretKeyRef:
name: sslspc
key: tls.crt
volumeMounts:
- name: sslspc
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: sslspc
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "sslspc"
After this I can use it in my ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: sslspc
rules:
- host: example.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: myservice
port:
number: 80
Is it possible to retrieve the secret in ingress without creating an additional pod just for mapping purpose?
Update (03/2023): As a result of my research, currently it is not possible. Solutions with a sidecar etc. makes it more complicated and you are using more resources. So finally I have created a simple busybox deployment to create the secrets (see above). This seems to be the easiest and less resource taking solution.
Upvotes: 1
Views: 893
Answers (1)
Reputation: 1012
You can make use of vault injectors to inject the secrets using the annotations like
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-configmap: 'my-configmap'
vault.hashicorp.com/tls-secret: 'vault-tls-client'
But to use these annotations you need to set up the injector mechanism in the cluster. Refer these official documentation for complete setup and for some examples. DOC1 DOC2.
Try this tutorial to understand more about vault injectors.
Upvotes: 0
Related Questions
- Create nested JSON arrays using FOR JSON PATH
- Concatenate or merge two json objects in SQL Server
- Can I add nested root nodes with FOR JSON?
- SQL how to add a row before root in json
- SQL Server Nested object with FOR JSON PATH
- SQL Generate JSON string using FOR JSON PATH with 2 ROOTs
- Nested JSON path
- How to add a JSON value read from a parent JSON in a table column in SQL Server?
- SQL Server root + FOR JSON Path in the same object
- SQL Server - FOR JSON PATH