search

SparebankenVest / azure-key-vault-to-kubernetes

Azure Key Vault to Kubernetes (akv2k8s for short) makes it simple and secure to use Azure Key Vault secrets, keys and certificates in Kubernetes.
https://akv2k8s.io
Apache License 2.0
437 stars 97 forks source link

[FEATURE] Optionally existing key vault objects #550

Open keriksson-rosenqvist opened 1 year ago

keriksson-rosenqvist commented 1 year ago

I would like to be able to define a kubernetes resource that allows me to optionally fetch an akv object if it exists but does not cause the deployment to fail if the object is not there. If I output the akv object as a k8s secret then that can be optionally referenced in the deployment environment variable list, but that means the secret value is readable in k8s which I want to avoid.

TLDR: Implement optional support for directly ingested akv objects, e.g.

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test
spec:
  vault:
    name: akv2k8s-test # name of key vault
    object:
      name: my-secret # name of the akv object
      type: secret # akv object type
      optional: true # <= marking the existence of the key vault object as optional
      default: ""    # <= defining a default value to use if the key vault secret does not exist
---
..... # In the deployment.yaml
        - name: Env_Var
          value: secret-sync@azurekeyvault

Which provides parity with 

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test
spec:
  vault:
    name: akv2k8s-test # name of key vault
    object:
      name: my-secret # name of the akv object
      type: secret # akv object type
      optional: true # <= marking the existence of the key vault object as optional
      default: ""    # <= defining a default value to use if the key vault secret does not exist
  output: 
    secret: 
      name: my-secret-from-akv # kubernetes secret name
      dataKey: secret-value # key to store object value in kubernetes secret
---
..... # In the deployment.yaml
        - name: Env_Var
          valueFrom:
            secretKeyRef:
              name: my-secret-from-akv
              key: secret-value
              optional: true

N.B. The default field is not needed but would be a nice option for assigning a default value if the akv record isn't found.

tspearconquest commented 1 year ago

I'm not sure if this would meet your goal since the secret would still need to be present in Keyvault, but it is possible to create an empty secret in Keyvault which can be pulled in by AKV2K8S and would just simply make the resulting environment variable empty.

keriksson-rosenqvist commented 1 year ago

I'm not sure if this would meet your goal since the secret would still need to be present in Keyvault, but it is possible to create an empty secret in Keyvault which can be pulled in by AKV2K8S and would just simply make the resulting environment variable empty.

In short, No. As we discussed in the Slack thread:

The problem I'm trying to solve is having to rely on the secret existing at all. E.g. if we push an update before the DevOps people have updated the secrets or if for some reason a new resource group is created for which the secret is not applicable. Short term I will likely use some helm field and if statement to define if we require that record to exist or not. :thinking: