search

datawire / ambassador-chart

Helm Chart for Installing Ambassador
42 stars 60 forks source link

Feature-Request to improve security: allow annotations: on the license-key Secret #106

Closed weitzjdevk closed 4 years ago

weitzjdevk commented 4 years ago

Feature Request:

Allow annotations: on the Secret for the license-key.

Allow setting annotations on the Kubernetes Secret, which is holding the license-key for Ambassador. This allows third-party tooling to fetch the acutal secret data from a safe location (like Hashicorp Vault) when the value is needed as Kubernetes Secrets are not safe.

Background:

As of right now one has to hard-code the license-key in the values.yaml in order to bootstrap automatically a fresh Ambassador installation. This works, but if one follows the GitOps pattern, it might be better to not hard-code secrets in Git.

Therefore it would be good to only safe a reference to the actual value in the secret (or use env-vars). One nice tool, which lets you do this with Kubernetes and Hashicorp Vault is BanzaiCloud Vault-Webhook (https://banzaicloud.com/docs/bank-vaults/mutating-webhook/)

To use this feature, one has to be able to add annotations: to a secret.

weitzjdevk commented 4 years ago

Please review the PullRequest :heart: