Kubernets secrets
57 views
Skip to first unread message
Martin Höfling
Sep 8, 2017, 10:52:31 AM9/8/17
to confidant-users
Hey folks,
are there any solutions to access secrets stored in confidant from kubernetes pods? I couldn't find much about that topic but confidant would be a nice fit to us since we're also using saltstack.
Best
Martin
Ryan Lane
Sep 8, 2017, 2:51:00 PM9/8/17
to Martin Höfling, confidant-users
Hey Martin,
We've actually been looking at this at Lyft lately. The biggest issue with k8s at this point is that its native secret support stores data unencrypted, so it's not possible to simply fetch the creds and store them in k8s feature set. An initial approach we're likely to take is to use an initializer container that will write the credentials on disk (on a ram disk), where that location will be bind mounted into the appropriate container.
In the long term we have a couple considerations in mind:
1. Once k8s secrets have had major issues worked out (like encryption at rest, etc) we'd continue keeping secrets in confidant as the source of truth, and have it update k8s secrets on changes using kubectl.
2. Run a confidant client container in each pod to fetch and update secrets in the ram disk.
- Ryan
--
You received this message because you are subscribed to the Google Groups "confidant-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to confidant-users+unsubscribe@googlegroups.com.
To post to this group, send email to confidant-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/confidant-users/097a434c-9035-4c40-a648-078ad95bfd0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Martin Höfling
Sep 9, 2017, 4:33:50 PM9/9/17
to Ryan Lane, confidant-users
On 08.09.17 20:50, Ryan Lane wrote:
Hey Ryan,
with vault integration as prototype for 1.8? or 1.9. Maybe one could use
that as a template for confidant integration.
Best wishes and thanks,
Martin
Hey Ryan,
> We've actually been looking at this at Lyft lately. The biggest issue
> with k8s at this point is that its native secret support stores data
> unencrypted, so it's not possible to simply fetch the creds and store
> them in k8s feature set. An initial approach we're likely to take is
> to use an initializer container that will write the credentials on
> disk (on a ram disk), where that location will be bind mounted into
> the appropriate container.
OK, that workaround is similar to what I've seen with vault.
> with k8s at this point is that its native secret support stores data
> unencrypted, so it's not possible to simply fetch the creds and store
> them in k8s feature set. An initial approach we're likely to take is
> to use an initializer container that will write the credentials on
> disk (on a ram disk), where that location will be bind mounted into
> the appropriate container.
> In the long term we have a couple considerations in mind:
>
> 1. Once k8s secrets have had major issues worked out (like encryption
> at rest, etc) we'd continue keeping secrets in confidant as the source
> of truth, and have it update k8s secrets on changes using kubectl.
> 2. Run a confidant client container in each pod to fetch and update
> secrets in the ram disk.
From what I've seen, there's quite some ongoing work on the secrets API
>
> 1. Once k8s secrets have had major issues worked out (like encryption
> at rest, etc) we'd continue keeping secrets in confidant as the source
> of truth, and have it update k8s secrets on changes using kubectl.
> 2. Run a confidant client container in each pod to fetch and update
> secrets in the ram disk.
with vault integration as prototype for 1.8? or 1.9. Maybe one could use
that as a template for confidant integration.
Best wishes and thanks,
Martin
Reply all
Reply to author
Forward
0 new messages