search

tuenti / secrets-manager

A daemon to sync Vault secrets to Kubernetes secrets
Apache License 2.0
171 stars 26 forks source link

Add support for secret type of docker-registry #68

Closed markAcomm closed 3 years ago

markAcomm commented 4 years ago

Thank you for making this tool... it has been an incredibly helpful piece of the puzzle in keeping secrets out of our git repositories. While it is used heavily by our application developers, our DevOps engineers could use a little love on the k8s setup and management.

Specifically, we will register the credentials of a private registry in all new app namesapces created so that engineers can deploy images from a private registry. It would be helpful if this daemon would support the Secret type of docker-registry along with the mechanics for registering private registry credentials sourced from Vault. It looks like your CRD has already exposed the Secrets type, but your documentation suggests you only support kubernetes.io/tls and Opaque.

phidlipus commented 3 years ago

It would be be great if you could add support for kubernetes.io/dockerconfigjson secret type.

rvojcik commented 3 years ago

+1 for me :) it would be great. We have to sometimes rotate robot account secrets, it would be greate to just replace them in vault

phidlipus commented 3 years ago

Now I found, that kubernetes.io/dockerconfigjson secret type is already supported. I used wrong value format (base64 as in Kubernetes secret) in Vault before. This is working for me:

apiVersion: secrets-manager.tuenti.io/v1alpha1
kind: SecretDefinition
metadata:
  name: pull-secret
  namespace: test
spec:
  name: pull-secret
  type: kubernetes.io/dockerconfigjson
  keysMap:
    .dockerconfigjson:
      key: .dockerconfigjson
      path: secrets/pull-secret

And the value of key .dockerconfigjson in pull-secret secret in Vault is in this form:

{
  "auths": {
    "registry.tld": {
      "auth": "aGVsbG9fbXlfZnJpZW5kczoxMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtCg==",
      "email": ""
    }
  }
}
fcrespofastly commented 3 years ago

Indeed it's supported. secrets-manager does not make any enforcement on the secret type.

fcrespofastly commented 3 years ago

@eduardogr we should close this issue.

dkulchinsky commented 3 years ago

indeed any supported type can be used, the README should be updated though, it does seem to suggest that only Opaque and TLS are supported.

eduardogr commented 3 years ago

i'll update the README with that information. Thanks @fcgravalos @dkulchinsky