I have setup vault-k8s to pull the vault image (for injection/sidecar) from a public registry, but the image for my main workload is behind a private registry.
Is there a way to use vault-k8s to retrieve the private registry’s imagePullSecrets from vault at deploy-time. At the moment, I have kubectl create a Secret in the pod’s target namespace before I apply my deployment.
If (1) is not possible, what secure patterns are others in the k8s/vault community using?
It creates a Kubernetes secret from a Vault’s KV engine, and will keep it in sync. So future changes you only need to apply to one place - Vault.
I can share the CRD definition. Obviously you need to install KES first.
apiVersion: "kubernetes-client.io/v1"
kind: ExternalSecret
metadata:
name: internal-registry
spec:
backendType: vault
# Your authentication mount point, e.g. "kubernetes"
# Overrides cluster DEFAULT_VAULT_MOUNT_POINT
vaultMountPoint: kubernetes-auth-method
# The vault role that will be used to fetch the secrets
# This role will need to be bound to kubernetes-external-secret's ServiceAccount; see Vault's documentation:
# https://www.vaultproject.io/docs/auth/kubernetes.html
# Overrides cluster DEFAULT_VAULT_ROLE
template:
type: kubernetes.io/dockerconfigjson
kvVersion: 1
vaultRole: k8s-generic-infra
data:
- name: .dockerconfigjson
# The full path of the secret to read, as in `vault read secret/data/hello-service/credentials`
key: static/k8s-generic-infra/internal-registry
property: .dockerconfigjson
# Vault values are matched individually. If you have several keys in your Vault secret, you will need to add them all separately
# - name: username
# key: secret/data/test-app/config
# property: username