Vault Config should be configurable via kubernetes secrets

maaft commented 6 months ago

Preflight Checklist

[X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
[X] I agree to follow the Code of Conduct.

Problem Description

Currently, backend secrets have to be directly inserted into Vault CRD. Example:

config:
    storage:
      azure:
        accountName: "my-storage-account"
        accountKey: "abcd1234"
        container: "container-efgh5678"
        environment: "AzurePublicCloud"

This makes it impossible to push these CRDs to git.

Proposed Solution

There should be an option to specify the config from a k8s secret, like this:

config:
   fromSecret:
      name: config-secret

Alternatives Considered

No response

Additional Information

No response

maaft commented 6 months ago

It seems to be configurable by creating a secret like this:

https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/vault-config-from-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: config-from-secret
  labels:
    app.kubernetes.io/name: vault-configurator
    vault_cr: vault
data:
  vault-config.yml: cG9saWNpZXM6CiAgLSBuYW1lOiBhbGxvd19hY2Nlc3NfdG9fc2VjcmV0c19mcm9tX3NlY3JldAogICAgcnVsZXM6IHBhdGggInNlY3JldC8qIiB7CiAgICAgIGNhcGFiaWxpdGllcyA9IFsiY3JlYXRlIiwgInJlYWQiLCAidXBkYXRlIiwgImRlbGV0ZSIsICJsaXN0Il0KICAgICAgfQoK

Can this please be documented? It's very obscure process and super hard to find.

akijakya commented 5 months ago

Hi @maaft, good to hear you found the solution! Could you please share the steps you took, or open a pull request with them directly in our docs repo? It would be much appreciated!

bank-vaults / vault-operator