I have setup vault-k8s to pull the vault image (for injection/sidecar) from a public registry, but the image for my main workload is behind a private registry.
Is there a way to use vault-k8s to retrieve the private registry’s imagePullSecrets from vault at deploy-time. At the moment, I have kubectl create a Secret in the pod’s target namespace before I apply my deployment.
If (1) is not possible, what secure patterns are others in the k8s/vault community using?
I am trying something similar. Any luck on getting this solved please?
I have found this as a workaround. GitHub - external-secrets/kubernetes-external-secrets: Integrate external secret management systems with Kubernetes
It creates a Kubernetes secret from a Vault’s KV engine, and will keep it in sync. So future changes you only need to apply to one place - Vault.
I can share the CRD definition. Obviously you need to install KES first.
# Your authentication mount point, e.g. "kubernetes"
# Overrides cluster DEFAULT_VAULT_MOUNT_POINT
# The vault role that will be used to fetch the secrets
# This role will need to be bound to kubernetes-external-secret's ServiceAccount; see Vault's documentation:
# Overrides cluster DEFAULT_VAULT_ROLE
- name: .dockerconfigjson
# The full path of the secret to read, as in `vault read secret/data/hello-service/credentials`
# Vault values are matched individually. If you have several keys in your Vault secret, you will need to add them all separately
# - name: username
# key: secret/data/test-app/config
# property: username
Hope this helps someone.