How to handle secrets? #5
Comments
|
We use vault in our cluster and like it. Recent versions have the ability to authenticate based off of a Service Account Token and namespace combination. You can then map the combination to a Vault Role by which you control secret access. I would love to see what other people are using. |
|
@AlJaMa what requests the Vault secret? The app? Do native Kubernetes Secrets play a role here? If I, for instance, need a database password, how does that get into my container? During build time? At run time? |
|
@towolf In our implementation the application requests the secret from Vault after authorizing using the service account token that, by default, can be found at One of the benefits of having the application request secrets from Vault directly is that we can utilize short lived secrets generated and maintained by Vault. For instance, each replica of a service has unique database credentials that expire and must be refreshed. If you preferred for your application to be completely unaware of Vault, you could create a small init container that authenticates with vault, pulls the required secrets, and writes them to disk for use as if it were a normal kubernetes secret. I prefer to stay away from native Kubernetes Secrets as I have found them difficult to properly secure and having short-lived, centrally managed, automatically rotated secrets is easy to do with Vault + Kubernetes. |
|
For whoever is interested about secrets, there's https://github.com/bitnami-labs/sealed-secrets. Fairly simple to setup and the documentation is good |
Sealed secret creates a secret behind the hood, which is saved as plaintext. |
Is there a best practice for handling secrets beside using the Secret object. What about Vault?
The text was updated successfully, but these errors were encountered: