Comments (5)
Try something like
nginx.ingress.kubernetes.io/server-snippet: |
proxy_pass_request_body on;
proxy_pass_request_headers on;
proxy_ssl_server_name on;
proxy_ssl_certificate /vault/secrets/cert;
proxy_ssl_certificate_key /vault/secrets/key;
So you can instruct Nginx to read the secret from local file
from vault-k8s.
We have a similar need. Many existing helm charts expect to be configured via k8s ConfigMaps and Secrets and can't easily be edited to read directly from a file (or, in some cases, to easily apply annotations).
As an alternative we currently use vault-sidekick
to fetch/renew the credential and store it in a k8s Secret whenever it changes. This is really clunky and so we would love if vault-agent
could support this case more directly.
from vault-k8s.
Why to use third parties then hashicorp vault helm provides vault-agent sidecar injection?
https://learn.hashicorp.com/vault/getting-started-k8s/sidecar
for nginx ingress it will look like
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/role: "{{ .Release.Name }}"
vault.hashicorp.com/agent-inject-secret-cert: "secret/{{ .Release.Name }}"
vault.hashicorp.com/agent-inject-template-cert: |
{{`{{ with secret "secret/`}}{{.Release.Name}}{{`" }}{{ .Data.cert }}{{ end }}`}}
vault.hashicorp.com/agent-inject-secret-key: "secret/{{ .Release.Name }}"
vault.hashicorp.com/agent-inject-template-key: |
{{`{{ with secret "secret/`}}{{.Release.Name}}{{`" }}{{ .Data.key }}{{ end }}`}}
As result vault-agent sidecar will be added to nginx
and /vault/secrets/cert /vault/secrets/key will be mounted inside nginx container, vault-agent will automatically update them
Only problem with vault-agent sidecar injection is what did not work always stable. Time to time mutating web hook did not mutate container and containers start without sidecar.
from vault-k8s.
I don't want to have nginx sidecars for all my pods, I want to have the single ingress which routes requests to pods.
Ingress resource has tls
key to specify kubernetes secret name containing TLS cert/key:
I want to use vault-agent-managed secret(s) for ingress, i.e. stored on a volume.
How can I achieve this?
Will ingress listen for HTTPS connections without the tls
key?
Will injecror manage volumes/secrets for me if I specify vault-agent annotations on an ingress resource?
from vault-k8s.
You can use vault issuer in cert-manager, and then use secret created by cert-manager
in your nginx-ingress
.
from vault-k8s.
Related Issues (20)
- Injected config tries to use IRSA token instead of the k8s service account token
- Webhook tries to add initContainer during UPDATE HOT 4
- Stuned deleting of a pod whose parents are job.
- vault.hashicorp.com/agent-init-first does not work with init containers coming from annotations
- Azure authentication method doesn't work with federated token
- Support for an agent-image built FROM scratch
- Auth config block can support common arguments from env and flags
- Tokens not revoked on Vault Agent Shutdown created via a Job using the /agent/v1/quit endpoint HOT 3
- Pipeline Request: Rebuild Dockerhub Image HOT 1
- Support for a securityContext.seccompProfile configuration HOT 1
- Support vault secret inject while the main pod "automountServiceAccountToken" set false HOT 1
- [controller-runtime] log.SetLogger(...) was never called; logs will not be displayed. HOT 1
- Sidecar agent does not handle manually rotated static database secret
- Inject the Agent as a native sidecar HOT 2
- Allow patching the Agent's configuration HOT 3
- vault agent export container port for scape metrics through podmonitor
- Problems encountered using consul as a storage backend
- Problems when using GCP KMS decryption
- Injected Agent config uses `token_path` instead of `path` for `jwt` auth method
- TLS handshake error Vault on EKS with Istio
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-k8s.