Closed fcrespofastly closed 3 years ago
Merging #72 (f2940e1) into master (065580f) will decrease coverage by
3.16%
. The diff coverage is60.00%
.
@@ Coverage Diff @@
## master #72 +/- ##
==========================================
- Coverage 85.25% 82.08% -3.17%
==========================================
Files 8 8
Lines 434 402 -32
==========================================
- Hits 370 330 -40
- Misses 47 54 +7
- Partials 17 18 +1
Impacted Files | Coverage Δ | |
---|---|---|
backend/backend.go | 100.00% <ø> (ø) |
|
backend/vault.go | 73.71% <60.00%> (-3.75%) |
:arrow_down: |
backend/vault_engine.go | 84.61% <0.00%> (-2.89%) |
:arrow_down: |
controllers/secretdefinition_controller.go | 76.03% <0.00%> (-1.91%) |
:arrow_down: |
errors/errors.go | 100.00% <0.00%> (ø) |
|
backend/decoder.go | 100.00% <0.00%> (ø) |
|
controllers/metrics.go | 100.00% <0.00%> (ø) |
|
backend/vault_metrics.go | 100.00% <0.00%> (ø) |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update 065580f...f2940e1. Read the comment docs.
Hey folks!!
It's been a while! I hope it's all good there!
We heavily use Vault at Fastly internally and we have some use cases where secrets-manager
fits. We rely on Vault kubernetes authentication for anything running on kubernetes, so this PR will enable secrets-manager
to use its own serviceAccount
token instead of appRole
.
I think this is good use case as other similar tools like vault-secrets-webhook
or vault-k8s
use it as well and one of the advantages is that you don't need an extra secret to place the roleID
and the secretID
for secrets-manager
Let me know what you think :)
cc @eduardogr
LGTM,
Thanks a lot @fcgravalos. It's nice to see you again around here :)
LGTM,
Thanks a lot @fcgravalos. It's nice to see you again around here :)
same here dude!
Status
READY
Migrations
NO
Description
Enables Vault Kubernetes Authentication. This is a fairly common scenario for other similar tools like
vault-secrets-webhook
orvault-k8s
. It's the method we enable for pods to talk to Vault.Type of change
Please delete options that are not relevant.
How Has This Been Tested?
vaultKubernetesLogin
You can also reproduce it by enabling k8s auth and creating a role, bound to the
secrets-manager
vault policy, service account and namespace.Checklist: