Put secrets into kubernetes Kind: Secret about vault-k8s HOT 5 CLOSED

Try something like

nginx.ingress.kubernetes.io/server-snippet: |
proxy_pass_request_body on;
proxy_pass_request_headers on;
proxy_ssl_server_name on;
proxy_ssl_certificate /vault/secrets/cert;
proxy_ssl_certificate_key /vault/secrets/key;

So you can instruct Nginx to read the secret from local file

from vault-k8s.

We have a similar need. Many existing helm charts expect to be configured via k8s ConfigMaps and Secrets and can't easily be edited to read directly from a file (or, in some cases, to easily apply annotations).

As an alternative we currently use vault-sidekick to fetch/renew the credential and store it in a k8s Secret whenever it changes. This is really clunky and so we would love if vault-agent could support this case more directly.

from vault-k8s.

Why to use third parties then hashicorp vault helm provides vault-agent sidecar injection?
https://learn.hashicorp.com/vault/getting-started-k8s/sidecar
for nginx ingress it will look like

   annotations:
     vault.hashicorp.com/agent-inject: "true"
     vault.hashicorp.com/agent-init-first: "true"
     vault.hashicorp.com/role: "{{ .Release.Name }}"

     vault.hashicorp.com/agent-inject-secret-cert: "secret/{{ .Release.Name }}"
     vault.hashicorp.com/agent-inject-template-cert: |
       {{`{{ with secret "secret/`}}{{.Release.Name}}{{`" }}{{ .Data.cert }}{{ end }}`}}

     vault.hashicorp.com/agent-inject-secret-key: "secret/{{ .Release.Name }}"
     vault.hashicorp.com/agent-inject-template-key: |
       {{`{{ with secret "secret/`}}{{.Release.Name}}{{`" }}{{ .Data.key }}{{ end }}`}}

As result vault-agent sidecar will be added to nginx
and /vault/secrets/cert /vault/secrets/key will be mounted inside nginx container, vault-agent will automatically update them

Only problem with vault-agent sidecar injection is what did not work always stable. Time to time mutating web hook did not mutate container and containers start without sidecar.

from vault-k8s.

I don't want to have nginx sidecars for all my pods, I want to have the single ingress which routes requests to pods.

Ingress resource has tls key to specify kubernetes secret name containing TLS cert/key:

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#ingressspec-v1beta1-networking-k8s-io

I want to use vault-agent-managed secret(s) for ingress, i.e. stored on a volume.
How can I achieve this?
Will ingress listen for HTTPS connections without the tls key?
Will injecror manage volumes/secrets for me if I specify vault-agent annotations on an ingress resource?

from vault-k8s.

You can use vault issuer in cert-manager, and then use secret created by cert-manager in your nginx-ingress.

from vault-k8s.