Is there documentation on Pod injection/consumption of the secrets in kubernetes Pods.
Do the current recommendations for consuming secrets in pods still stand, those being Init and sidecar containers. This is all in relation to the new Vault Helm chart that has been officially released.
Thanks
I don’t think we have a guide on this yet; however @joatmon08 and @mishra just did a tutorial on this at OSCON. Pinging them to share the repo.
That would be great, thank you.
Does this actually copy the vault secrets into k8s secrets, in such a way that they’re persistent in etcd? Trying to understand what size limits we’re going to run into (since most k8s secrets have a 1MB limit due to etcd, afaiu)
It doesn’t copy secrets to Etcd, the secrets say in Vault. The pattern just shows how to expose these to your Kubernetes applications.
We also have some new features which manages much of this process through a mutating web hook. The following two blogs detail this new process:
Kind regards,
Nic
Hi Nic,
I was trying out the steps mentioned in first article - “Injecting Vault secrets into kubernetes Pods via a Sidecar”.
Our vault is deployed in a separate k8s cluster and I want to access the secrets from another cluster using the steps mentioned. Is it possible or is it assumed that both vault and application are running in the same cluster.
Oh wow sorry for the delay here. It should be possible indeed.
The agent which runs in the sidecar just needs to point to the remote Vault cluster. You also need to configure the authentication in the Vault cluster to use the API server where the agent is running. This should be possible as mulitple k8s auth backends can be configured on a single Vault cluster.
By default with the Helm chart it installs the Vault server, to disable this and to point things to an external cluster you can use the following setting in the Helm values.
# External vault server address for the injector to use. Setting this will
# disable deployment of a vault server along with the injector.
externalVaultAddr: ""