Closed markAcomm closed 3 years ago
It would be be great if you could add support for kubernetes.io/dockerconfigjson
secret type.
+1 for me :) it would be great. We have to sometimes rotate robot account secrets, it would be greate to just replace them in vault
Now I found, that kubernetes.io/dockerconfigjson
secret type is already supported. I used wrong value format (base64 as in Kubernetes secret) in Vault before.
This is working for me:
apiVersion: secrets-manager.tuenti.io/v1alpha1
kind: SecretDefinition
metadata:
name: pull-secret
namespace: test
spec:
name: pull-secret
type: kubernetes.io/dockerconfigjson
keysMap:
.dockerconfigjson:
key: .dockerconfigjson
path: secrets/pull-secret
And the value of key .dockerconfigjson in pull-secret secret in Vault is in this form:
{
"auths": {
"registry.tld": {
"auth": "aGVsbG9fbXlfZnJpZW5kczoxMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtCg==",
"email": ""
}
}
}
Indeed it's supported. secrets-manager
does not make any enforcement on the secret type.
@eduardogr we should close this issue.
indeed any supported type can be used, the README should be updated though, it does seem to suggest that only Opaque and TLS are supported.
i'll update the README with that information. Thanks @fcgravalos @dkulchinsky
Thank you for making this tool... it has been an incredibly helpful piece of the puzzle in keeping secrets out of our git repositories. While it is used heavily by our application developers, our DevOps engineers could use a little love on the k8s setup and management.
Specifically, we will register the credentials of a private registry in all new app namesapces created so that engineers can deploy images from a private registry. It would be helpful if this daemon would support the Secret type of docker-registry along with the mechanics for registering private registry credentials sourced from Vault. It looks like your CRD has already exposed the Secrets type, but your documentation suggests you only support
kubernetes.io/tls
andOpaque
.