Support for Hashicorp Vault #198
Conversation
|
cc @silasbw @JacopoDaeli @jeffpearce from the linked issue 👍 |
README.md
Outdated
| # This role will need to be bound to kubernetes-external-secret's ServiceAccount; see Vault's documentation: | ||
| # https://www.vaultproject.io/docs/auth/kubernetes.html | ||
| vaultRole: my-vault-role | ||
| properties: |
There was a problem hiding this comment.
rename to data. we renamed this to data a while ago (but are still backwards compatible with properties).
There was a problem hiding this comment.
Sounds good! Fixing...
| backendType: vault | ||
| vaultMountPoint: my-kubernetes-vault-mount-point | ||
| vaultRole: my-vault-role | ||
| properties: |
lib/backends/vault-backend.js
Outdated
| */ | ||
| async getSecretManifestData ({ secretDescriptor }) { | ||
| const data = {} | ||
| // Use secretDescriptor.properties to be backwards compatible. |
There was a problem hiding this comment.
Oh yes, punted it a few lines down
lib/backends/vault-backend.js
Outdated
| async getSecretManifestData ({ secretDescriptor }) { | ||
| const data = {} | ||
| // Use secretDescriptor.properties to be backwards compatible. | ||
| const vaultMountPoint = secretDescriptor.vaultMountPoint | ||
| const vaultRole = secretDescriptor.vaultRole | ||
|
|
||
| const externalData = secretDescriptor.data || secretDescriptor.properties | ||
| const secretPropertyValues = await this._fetchSecretPropertyValues({ | ||
| vaultMountPoint, | ||
| vaultRole, | ||
| externalData | ||
| }) | ||
| externalData.forEach((secret, index) => { | ||
| data[secret.name] = (Buffer.from(secretPropertyValues[index], 'utf8')).toString('base64') | ||
| }) | ||
| return data | ||
| } |
There was a problem hiding this comment.
Think it would be good if we didn't have to maintain duplicates of getSecretManifestData and _fetchSecretPropertyValues now theres an additional dataFrom support in kv-backend as well :)
Perhaps we could pass along extras from secretDescriptor
to something like
async getSecretManifestData ({
secretDescriptor: {
// Use secretDescriptor.properties to be backwards compatible.
properties = [],
data = properties,
dataFrom = [],
...secretDescriptorOptions
}
}) { and pass along secretDescriptorConfig to the fetch functions which can send it down to abstract get ie
const [dataFromValues, dataValues] = await Promise.all([
this._fetchDataFromValues({ dataFrom, secretDescriptorOptions}),
this._fetchDataValues({ data, secretDescriptorOptions})
])then signature of _get could become
_get ({ secretKey, secretDescriptorOptions }) {
@silasbw forgot to press post 😅
| @@ -46,4 +46,22 @@ subjects: | |||
| - name: {{ template "kubernetes-external-secrets.serviceAccountName" . }} | |||
| namespace: {{ .Release.Namespace | quote }} | |||
| kind: ServiceAccount | |||
| --- | |||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |||
| kind: ClusterRoleBinding | |||
There was a problem hiding this comment.
| @@ -16,6 +16,7 @@ if (environment === 'development') { | |||
| require('dotenv').config() | |||
| } | |||
|
|
|||
| const vaultEndpoint = process.env.VAULT_ADDR || 'http://127.0.0.1:8200' | |||
There was a problem hiding this comment.
add the VAULT_ADDR env variable to the chart values file https://github.com/godaddy/kubernetes-external-secrets/blob/master/charts/kubernetes-external-secrets/values.yaml#L6 and update README?
There was a problem hiding this comment.
Good point, adding this!
|
Alright, I've addressed all code comments; now adding unit tests as well as per @silasbw comment 👍 |
There was a problem hiding this comment.
i think this is awesome. i think kubernetes-external-secrets has an issue with our kv-backend.js/KVBackend implementation being too specific to AWS, but i think that's outside the scope of this PR (i'll let @Flydiverny confirm :))
| @@ -217,7 +218,7 @@ data: | |||
|
|
|||
| ## Backends | |||
|
|
|||
| kubernetes-external-secrets supports both AWS Secrets Manager and AWS System Manager. | |||
| kubernetes-external-secrets supports AWS Secrets Manager, AWS System Manager, and Hashicorp Vault. | |||
|
Think we can merge this as is once tests are in, and do a separate PR to improve kv-backend! :) |
|
The tests are here! 🎉 |
|
Uh oh, wait a bit before merging please – I just realised that this version (post-reviews) now creates apiVersion: v1
kind: Secret
metadata:
name: hello-service
namespace: default
type: Opaque
data:
undefined: b3Blbiwgc2VzYW1lI have to leave for the day but will review this and fix it asap tomorrow. |
|
Found & fixed the issue & rebased on top of master. This is ready to merge if approved :) |
lib/backends/vault-backend.js
Outdated
| externalData | ||
| }) | ||
| externalData.forEach((secret, index) => { | ||
| data[secret.property] = (Buffer.from(secretPropertyValues[index], 'utf8')).toString('base64') |
There was a problem hiding this comment.
this should be set by secret.name instead of property
|
I was also perhaps a bit fast on merging #204 (meanwhile you rebased) but I can fix that part after this is merged |
VAULT_ENDPOINT is now VAULT_ADDR to keep with the vault defaults. The RBAC is necessary for the Vault Kubernetes authentication method. Fix property lookup by stringifying only if we're sending back the whole secret data rather than just one property.
|
@Flydiverny thanks for the feedback! I've amended this PR by adding |
There was a problem hiding this comment.
Whoop think this is good to go! 🎉
@silasbw wanna take a last look?
|
We just released 2.1.0 which includes vault support. thank you for contributing this 🥂 ! |
Hello all!
I've been building on @bboerst 's work from his fork to add support for Hashicorp Vault as a backend for external-secrets. 🎉
I've currently got this working through the bundled Helm Chart, which I've had to tweak a little to add the necessary bits and pieces.
I've also added a first draft of documentation, please let me know what you think / what could be improved!
Fixes #62