search

redhat-cop / vault-config-operator

An operator to support Haschicorp Vault configuration workflows from within Kubernetes
Apache License 2.0
110 stars 49 forks source link

GitOps-fy VCO SecretEngineMount CRs #231

Closed erlisb closed 8 months ago

erlisb commented 8 months ago

In our setup, we are aiming to manage every HashiCorp Vault aspect via ArgoCD-VCO (excluding here imperative endpoints). I was wondering if we could do the same even with SecretEngineMount CR, for secrets type kv 1/2.

UseCase: Customer requests a new vault workspace (a kv secret path where he can store his secrets). Workspace is created via ArgoCD using the SecretEngineMount CR. Customer stores his secrets in the provided workspace. ArgoCD keep reconciling the SecretEngineMount CR for any changes.

My question here is: Is this approach a bit dangerous, to manage SecretEngineMount CR with ArgoCD ? I mean, the customer will store its key-value secrets in the provided workspace , but if something happens and ArgoCD reconciles the CR object, the workspace will be re-created empty.

@raffaelespazzoli what would you suggest is such case ?

Thanks a lot.

raffaelespazzoli commented 8 months ago

you can tag argocd managed resources such that argocd does not ever delete them[1], if that is your concern. I describe the use case you propose in this article: https://www.redhat.com/en/blog/environment-as-a-service-part-2

[1]: https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#no-prune-resources

On Fri, Feb 9, 2024 at 5:30 AM Erlis Balla @.***> wrote:

In our setup, we are aiming to manage every HashiCorp Vault aspect via ArgoCD-VCO (excluding here imperative endpoints). I was wondering if we could do the same even with SecretEngineMount CR, for secrets type kv 1/2.

UseCase: Customer requests a new vault workspace (a kv secret path where he can store his secrets). Workspace is created via ArgoCD using the SecretEngineMount CR. Customer stores his secrets in the provided workspace. ArgoCD keep reconciling the SecretEngineMount CR for any changes.

My question here is: Is this approach a bit dangerous, to manage SecretEngineMount CR with ArgoCD ? I mean, the customer will store its key-value secrets in the provided workspace , but if something happens and ArgoCD reconciles the CR object, the workspace will be re-created empty.

@raffaelespazzoli https://github.com/raffaelespazzoli what would you suggest is such case ?

Thanks a lot.

— Reply to this email directly, view it on GitHub https://github.com/redhat-cop/vault-config-operator/issues/231, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPERXBNJLOGJXON26BWRYTYSYQGLAVCNFSM6AAAAABDBPGTZSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGEZDOMJVHA4DSOI . You are receiving this because you were mentioned.Message ID: @.***>

-- ciao/bye Raffaele