bakins
commented
7 years ago Could an entry point for each container in the pod know to look for secrets in a well-known place? I did this in the past and it seemed to work okay, but you had to manage an entrypoint for each of your containers, but we included that in our base image.
Would it be possible to use/extend this controller to support the following usecase?
I want to use secrets from Vault as environment variables of my containers. My idea was to use an init-container that extracts secrets from Vault and somehow pass those secrets as environment variables to the "normal" containers of the pod.
I've implemented this in Vault-monkey (the tool I already use for extracting vault secrets, see https://github.com/pulcy/vault-monkey/pull/4). It can extract secrets to file (which is no problem with a memory backed
emptyDirvolume), but extracting it to environment variables in an issue because I cannot find something similar to dockers--env-fileoption. So as a temporary solution I ended up extracting secrets from vault, storing them in a K8S secret which in then mapped into the container as environment variable. Of course that exposes secrets in the K8S api server, which I would like to avoid.Would this controller have a way to solve this use case?