Vault: Question: Can Vault Be Leveraged for Kubernetes Secrets Framework

Hi @akamalov

Vault can store any secret and exposes an HTTP and CLI API for managing those secrets. I supposed Kubernetes would need to add support to communicate with Vault.

Pinging @kelseyhightower :smile:

@sethvargo @akamalov I'm actually playing around with this now, it would work and might be a good fit as a cluster addon.

Hey @kelseyhightower :smile:. Did you have a chance to play with this? Anything I can help answer?

@kelseyhightower by any chance did you get a change to play with this? We would love to be able to use Vault as the backend for Kubernetes secrets instead of the plain text base64 values that k8s currently uses.

There's the security improvement, but you also gain a lot of flexibility in that mixed Kubernetes and non-Kubernetes systems can use the same store. You could also have multiple clusters using the same vault (with different permissions). Cuts down on cluster bootstrapping and secrets management.

@kelseyhightower, all - any recent work on this? @ethernetdan and I are looking at open source solutions for encrypting and storing Kubernetes secrets. Happy to help in any way we can

@kelseyhightower Pinging again. Also really interested in this.

If you have vault running you can do this:

`````` shell
#!/bin/bash
PASSWORD="$(vault read -field=value secret/password | base64)"

# Create YAML object from stdin
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: "${PASSWORD}"
EOF
```

That way even the folks who manage the environment don't need to know what the secrets are...
``````

We've opensourced a Kubernetes service to integrate with Vault: https://github.com/Boostport/kubernetes-vault

In our implementation, we have a service that can run in HA mode watch the Kubernetes API for new pods. If the pod has an annotation for an AppRole, we generate a wrapped secret_id for the AppRole and push it to an init container. The init container then exchanges the secret_id and role_id for an auth token and writes it to a volume. This volume can be mounted with other containers in the pod, so that they can request the secrets they need.

Any update on this one ?

With the Kubernetes auth backend you can easily get your pods Vault tokens which can then be used to access secrets.

Having Kubernetes use Vault as the basis for its secret service is another matter and really something that belongs in the Kubernetes issue tracker (which it is, see above).

Closing this issue as a result.