Vault-k8s imagePullSecrets

I have setup vault-k8s to pull the vault image (for injection/sidecar) from a public registry, but the image for my main workload is behind a private registry.

  1. Is there a way to use vault-k8s to retrieve the private registry’s imagePullSecrets from vault at deploy-time. At the moment, I have kubectl create a Secret in the pod’s target namespace before I apply my deployment.

  2. If (1) is not possible, what secure patterns are others in the k8s/vault community using?

1 Like

I am trying something similar. Any luck on getting this solved please?

1 Like

I have found this as a workaround. GitHub - external-secrets/kubernetes-external-secrets: Integrate external secret management systems with Kubernetes

It creates a Kubernetes secret from a Vault’s KV engine, and will keep it in sync. So future changes you only need to apply to one place - Vault.

I can share the CRD definition. Obviously you need to install KES first.

apiVersion: "kubernetes-client.io/v1"
kind: ExternalSecret
metadata:
  name: internal-registry
spec:
  backendType: vault
  # Your authentication mount point, e.g. "kubernetes"
  # Overrides cluster DEFAULT_VAULT_MOUNT_POINT
  vaultMountPoint: kubernetes-auth-method
  # The vault role that will be used to fetch the secrets
  # This role will need to be bound to kubernetes-external-secret's ServiceAccount; see Vault's documentation:
  # https://www.vaultproject.io/docs/auth/kubernetes.html
  # Overrides cluster DEFAULT_VAULT_ROLE
  template:
    type: kubernetes.io/dockerconfigjson
  kvVersion: 1
  vaultRole: k8s-generic-infra
  data:
    - name: .dockerconfigjson      
# The full path of the secret to read, as in `vault read secret/data/hello-service/credentials`
      key: static/k8s-generic-infra/internal-registry
      property: .dockerconfigjson
    # Vault values are matched individually. If you have several keys in your Vault secret, you will need to add them all separately
    # - name: username
    #   key: secret/data/test-app/config
    #   property: username

Hope this helps someone.