sharkymcdongles
commented
4 years ago +1
Open arsnyder16 opened 4 years ago
sharkymcdongles
commented
4 years ago +1
Spaceman1861
commented
4 years ago +1 this would be awesome
arsnyder16
commented
4 years ago @ritazh Is there any insight into the priority of the enhancements being proposed, or what enhancements are currently being worked on.
Seems as if enhancements are being proposed but there is no feedback from the kubernetes-keyvault-flexvol contributors
ritazh
commented
4 years ago Apologies for the delay. Seems this request is similar to this one https://github.com/Azure/kubernetes-keyvault-flexvol/issues/28#issuecomment-579451206 can you pls confirm?
arsnyder16
commented
4 years ago @ritazh Possibly, its not clear to me from that thread what is being proposed and what is being considered by the team. There seems to be three cases Environment Variables, k8s Secrets, mutating webhook to inject the secret into the environment of the running process.
Currently nginx ingress only supports k8s secrets. Unless i am missing another way to configure, but i am following the guidance in https://docs.microsoft.com/en-us/azure/aks/ingress-own-tls. It would be great if this documentation would recommend how to integrate with key vault
flamingboo
commented
4 years ago This is a show-stopper for my ingress nginx on AKS - the private key & certificate should come from a vault (in this case, AKV). Is this in the backlog?
kwaazaar
commented
4 years ago Some K8S solutions rely on K8S secrets. To enable KV as a central store for all secrets, it should also support these solutions and thus support syncing to K8S secrets.
ms-mullins
commented
4 years ago +1 needed
syedhassaanahmed
commented
4 years ago +1. Our current workaround is to use cert-manager with LetsEncrypt, but we prefer provisioning and storing certificates in Key Vault.
ritazh
commented
4 years ago Hi everyone! 👋 We have recently added the sync with Kubernetes secrets feature in Secrets Store CSI driver. To see how it works for nginx ingress controller tls, PTAL at this doc: https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/sample/ingress-controller-tls
Describe the request Currently you cannot get secrets from keyvault into nginx ingress controller. It would be nice if the kubernetes-keyvault-flexvol could sync secrets as native kubernetes secrets.
https://docs.microsoft.com/en-us/azure/aks/ingress-own-tls
Explain why Key Vault FlexVolume needs it It would make Key Vault FlexVolume a fully integrated solution for KeyVault and Kubernetes
Describe the solution you'd like kubernetes-keyvault-flexvol could sync secrets as native kubernetes secrets. So that the nginx ingress controller could find the secret
Describe alternatives you've considered Kuberentes Ingress could also support pulling secrets from a volume, then you could use kubernetes-keyvault-flexvol as is.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
This could simplify some of the current setup since kubernetes can already pull secrets on to volumnes https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Additional context