search

kedacore / keda

KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
https://keda.sh
Apache License 2.0
8.57k stars 1.08k forks source link

Add support for Hashicorp Vault Transit #3128

Open Axory opened 2 years ago

Axory commented 2 years ago

Proposal

KEDA Auth supports Hashicorp vault as secret backend but only stores plaintext password in KV v2.

Suggestion to add 1 more parameter to allow the credentials to be encrypted.

hashiCorpVault:                                                      # Optional.
  address: {hashicorp-vault-address}                      # Required.
  namespace: {hashicorp-vault-namespace}          # Optional. Default is root namespace. Useful for Vault Enterprise
  authentication: token | kubernetes                       # Required.
  role: {hashicorp-vault-role}                                   # Optional.
  mount: {hashicorp-vault-mount}                           # Optional.
+  transitKey: {hashicorp-vault-transit-key-name}    # If null, skip decryption.
  credential:                                                            # Optional.
    token: {hashicorp-vault-token}                           # Optional.
    serviceAccount: {path-to-service-account-file}  # Optional.
  secrets:                                                                # Required.
  - parameter: {scaledObject-parameter-name}    # Required.
    key: {hasicorp-vault-secret-key-name}              # Required.
    path: {hasicorp-vault-secret-path}                     # Required.

Use-Case

Our security team has a policy where we're not allowed to store plaintext password in Hashicorp Vault. It has to be in encrypted value.

Anything else?

No response

JorTurFer commented 2 years ago

Hey @Axory , I'm checking Hashicorp Vault Transit and it seems like encryption as a service more than storing values encrypted. If I'm not wrong, the flow in case of encrypted secrets will be:

  1. Request the value (like right now)
  2. Do an extra request to the Vault Transit service passing the value from step 1 and the key
  3. Use the return from Transit service

Right? It's an interesting service :) Are you willing to contribute with this?

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.