Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure Vault connection details in Provider pod #82

Closed
tomhjp opened this issue Mar 24, 2021 · 2 comments · Fixed by #138
Closed

Configure Vault connection details in Provider pod #82

tomhjp opened this issue Mar 24, 2021 · 2 comments · Fixed by #138
Labels
enhancement New feature or request

Comments

@tomhjp
Copy link
Contributor

tomhjp commented Mar 24, 2021

Currently, Vault connection details are specified in the SecretProviderClass, e.g.:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: vault-kv
spec:
  provider: vault
  parameters:
    roleName: "kv-role"
    vaultAddress: https://vault:8200
    vaultCACertPath: /mnt/tls/ca.crt
    vaultTLSClientCertPath: /mnt/tls/client.crt
    vaultTLSClientKeyPath: /mnt/tls/client.key
    objects: |
      - objectName: "secret-1"
        secretPath: "secret/data/kv1"
        secretKey: "bar1"

However, this awkwardly punctures the separation of concerns between the application namespace and the CSI provider's namespace. The application-namespaced SPC has to know about the contents of the provider pod's file system in order to configure which TLS certificates to use. The argument for vaultAddress being out of place is less clear, but would also arguably make more sense to be configured on the Vault provider side rather than on the application side.

If we move Vault connection details into the provider pod's configuration, in addition to a better separation of concerns, it will also allow us to safely deploy Vault Agent as a side car for the provider. That would then give us lots of nice features like caching and automatic lease renewal almost for free.
@tomhjp tomhjp added the enhancement New feature or request label Mar 24, 2021
@tomhjp tomhjp mentioned this issue May 6, 2021
Closed
@isugimpy
Copy link
Contributor

In this vein, the defaultVaultAddress and defaultVaultKubernetesMountPath are hardcoded constants. By changing both to be configurable at the Provider level, a sane default could be set for the Provider to use if the SecretProviderClass does not set them. This would be a helpful abstraction for users, and allow them to still override if they want to. Functionally, all that would be changing here is adding a configuration value with defaults for these two variables, instead of making them consts.

@isugimpy isugimpy mentioned this issue May 15, 2021
Merged
@ambis
Copy link

ambis commented Jan 19, 2022

I would love to see the client tls cert configs to be moved to the provider config as well.

The client TLS cert configs (eg. vaultTLSClientKeyPath) are tightly tied to the vault instance (ie. defaultVaultAddress), and having to define them on application level feels just wrong, especially when the vault address has been defaulted.

@tomhjp tomhjp mentioned this issue Feb 5, 2022
Merged
@dnlopes dnlopes mentioned this issue Jan 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support configuring all Vault connection details in flags hashicorp/vault-csi-provider
3 participants
@ambis @tomhjp @isugimpy