fix: add Hashicorp Vault external secret manager #7658
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
…/jans into docs-jans-network
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
mo-auto
added
area-documentation
iromli
requested changes
Feb 11, 2024
| {{ if eq .Values.global.configSecretAdapter "vault" }} | ||
| CN_SECRET_VAULT_SCHEME: {{ .Values.configmap.cnSecretVaultScheme }} | ||
| CN_SECRET_VAULT_HOST: {{ .Values.configmap.cnSecretVaultHost }} | ||
| CN_SECRET_VAULT_PORT: {{ .Values.configmap.cnSecretVaultPort }} |
There was a problem hiding this comment.
These env vars should be quoted to avoid mismatched type.
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: iromli <isman.firmansyah@gmail.com>
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
iromli
reviewed
Feb 21, 2024
charts/janssen/values.yaml
Outdated
| @@ -258,6 +258,30 @@ config: | |||
| cnAwsSecretsReplicaRegions: [] | |||
| # [aws_secret_manager_envs] END | |||
| # [aws_envs] END | |||
| # [vault_envs] Envs related to Hashicorp vault | |||
| # base URL of Vault (default to `http://localhost:8200`). | |||
| cnSecretVaultAddr: http://localhost:8200 | |||
There was a problem hiding this comment.
@misba7 as this is part of config.configmap, the cnSecretVault* keys need to be defined in sub-chart config as well.
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
iromli
requested changes
Feb 22, 2024
| configSecretAdapter: vault | ||
| config: | ||
| configmap: | ||
| # base URL of Vault (default to `http://localhost:8200`). |
There was a problem hiding this comment.
@misba7 make a proper comment syntax so helm-docs command can generate/modify README.md automatically.
| @@ -121,6 +122,52 @@ kubectl get configmap -n <namespace> cn -o json | |||
|
|
|||
| From the console, Go to `Secret Manager`> Click on `Create Secret` > Add a `name` > Upload a `json` file or add the json to the `Secret value` field > Create | |||
|
|
|||
| ### Vault | |||
|
|
|||
| You need a secret named `vault` in your namespace storing the `role-id` and `secret-id` so that workloads/services can use it to authenticate to Vault. | |||
There was a problem hiding this comment.
@misba7 Probably better to provide attribute in values.yaml to store role-id and secret-id in a secrets so it will be tied to release name.
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
… into fix-jans-vault
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: iromli <isman.firmansyah@gmail.com>
Signed-off-by: iromli <isman.firmansyah@gmail.com>
Signed-off-by: iromli <isman.firmansyah@gmail.com>
iromli
previously approved these changes
Feb 27, 2024
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: iromli <isman.firmansyah@gmail.com>
iromli
previously approved these changes
Feb 27, 2024
moabu
requested changes
Feb 28, 2024
| @@ -121,6 +122,71 @@ kubectl get configmap -n <namespace> cn -o json | |||
|
|
|||
| From the console, Go to `Secret Manager`> Click on `Create Secret` > Add a `name` > Upload a `json` file or add the json to the `Secret value` field > Create | |||
|
|
|||
| ### Vault | |||
There was a problem hiding this comment.
Indicate the mode used for Vault installation. This is to clearly state what type of Vault installation was used because the cloud is slightly different
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
iromli
requested changes
Feb 28, 2024
| ### Vault | ||
|
|
||
| !!! Note | ||
| The deployment of Vault is hosted on-premises, not within the Vault Cloud service |
There was a problem hiding this comment.
The cloud name should be HashiCorp Cloud Platform.
Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Signed-off-by: iromli <isman.firmansyah@gmail.com>
iromli
approved these changes
Feb 28, 2024
moabu
approved these changes
Feb 29, 2024
yuriyz
pushed a commit
that referenced
this pull request
Nov 7, 2024
* docs: add network traffic notes * docs: add network traffic notes Signed-off-by: Amro Misbah <amromisba7@gmail.com> * docs: add external communication Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix: add Hashicorp Vault external secret manager Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix: add quote to configmap Signed-off-by: Amro Misbah <amromisba7@gmail.com> * chore(docker-jans): update Vault binding in images Signed-off-by: iromli <isman.firmansyah@gmail.com> * fix: update vault envs Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix: add new env vault addr Signed-off-by: Amro Misbah <amromisba7@gmail.com> * feat: mount role and secret id files Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix: add cnVault variables to config subchart Signed-off-by: Amro Misbah <amromisba7@gmail.com> * docs: add new vars and instruction for required secret Signed-off-by: Amro Misbah <amromisba7@gmail.com> * feat: deploy vault secret automatically Signed-off-by: Amro Misbah <amromisba7@gmail.com> * docs: comprehensive vault deployment instructions Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix: change var name and base64 encode in secret Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix: jans-aio vault support Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix: vault as an option for secret in jans-aio Signed-off-by: Amro Misbah <amromisba7@gmail.com> * fix(chart): resolve attribute for Vault (global is not exist) Signed-off-by: iromli <isman.firmansyah@gmail.com> * docs(charts): update Vault docs Signed-off-by: iromli <isman.firmansyah@gmail.com> * docs: mention about approle path option Signed-off-by: iromli <isman.firmansyah@gmail.com> * docs: update config subchart with new values.yaml Signed-off-by: Amro Misbah <amromisba7@gmail.com> * docs: update instructions Signed-off-by: Amro Misbah <amromisba7@gmail.com> * chore(charts): remove unused attributes for Vault integration Signed-off-by: iromli <isman.firmansyah@gmail.com> * docs: mention the vault deployment mode Signed-off-by: Amro Misbah <amromisba7@gmail.com> * docs: remove unneeded vault vars Signed-off-by: Amro Misbah <amromisba7@gmail.com> * docs: proper name of HashiCorp cloud service Signed-off-by: iromli <isman.firmansyah@gmail.com> --------- Signed-off-by: Amro Misbah <amromisba7@gmail.com> Signed-off-by: iromli <isman.firmansyah@gmail.com> Co-authored-by: Isman Firmansyah <iromli@users.noreply.github.com> Co-authored-by: iromli <isman.firmansyah@gmail.com> Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com> Former-commit-id: 595e705
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #7548