search

hashicorp / hcp-terraform-operator

Kubernetes Operator allows managing HCP Terraform resources via Kubernetes Custom Resources.
https://developer.hashicorp.com/terraform/cloud-docs
Mozilla Public License 2.0
125 stars 31 forks source link

🚀 annotations in the operator configuration to pull auth tokens from Vault via `Vault injector` #280

Open sharccc opened 12 months ago

sharccc commented 12 months ago

Description

Feature Request: requesting the option to configure the operator to pull auth tokens from Vault using an available integration: Vault injector. It would be nice to have the integration with Vault injector out of the box - currently the AgentPool requires the API token to be stored as a Secret, so it's not currently possible to use Vault injector to pull it from Vault. This can be achieved by allowing annotations in the helm chart (using native support, the workload in kubernetes, would then):

Potential YAML Configuration

annotations:
  vault.hashicorp.com/agent-inject: 'true'
  vault.hashicorp.com/agent-inject-secret-operator-token: 'tfe/operator/token'
  ...

References

example (in this case database/creds/db-app) https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#deployments-statefulsets-etc

Community Note

razorsk8jz commented 9 months ago

We were able to do something similar, we are using vault to store our token and using vault-secrets-operator to create the secret based on a vault-static-secret. Hopefully this helps https://github.com/hashicorp/vault-secrets-operator

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: tfc-agent-static-secret
spec:
  type: kv-v2

  # mount path
  mount: kv

  # path of the secret
  path: my/path

  # dest k8s secret
  destination:
    name: my-secret-name
    create: true

  # static secret refresh interval
  refreshAfter: 30s
sharccc commented 6 months ago

internal reference 124942 (terraform support)