堆栈内存溢出
  简体   繁体   English

如何从 Kubernetes 将秘密写入 HashiCorp Valut 或 Azure Key Vault?

[英]How to write secrets to HashiCorp Valut or Azure Key Vault from Kubernetes?

 原文  2020-07-06 08:34:49       kubernetes/ azure-keyvault/ hashicorp-vault/ kubernetes-secrets

问题描述

I have come across injectors/drivers/ et cetera for Kubernetes for most major secret providers, but the common theme with those solutions are that these only sync one-way, ie, only from the vault to the cluster.对于大多数主要的秘密提供者,我遇到过 Kubernetes 的注入器/驱动程序/等等,但这些解决方案的共同主题是它们只能单向同步,即只能从保险库到集群。 I want to be able to update the secrets too, from my Kubernetes cluster.我也希望能够从我的 Kubernetes 集群更新机密。

What is the recommended pattern for doing this?这样做的推荐模式是什么? (Apart from the obvious solution of writing a custom service that communicates with the vault) (除了编写与保险库通信的自定义服务的明显解决方案)

1 个解决方案

解决方案1
 0  2020-07-06 17:32:37

I'd say that this is an anti pattern, meaning you shouldn't do that.我会说这是一种反模式,这意味着你不应该那样做。

If you create your secret in k8s from file, that would mean you either have it in version control, something you should never do.如果您从文件中在 k8s 中创建您的秘密,那意味着您要么将其置于版本控制中,而这是您永远不应该做的事情。 Or you don't have it in version control or create it from literal, which is good, but than you neither have a change history/log nor a real documentation of your secret.或者您没有在版本控制中使用它,也没有从文字中创建它,这很好,但是您既没有更改历史记录/日志,也没有关于您的秘密的真实文档。 I guess that would explain, why the major secret providers don't support that.我想这可以解释为什么主要的秘密提供者不支持这一点。

You should set up the secret using the key vault and apply it to your cluster using Terraform for example.您应该使用密钥保管库设置机密,并使用例如 Terraform 将其应用到您的集群。

Terraform supports both azure key vault secret https://www.terraform.io/docs/providers/azurerm/r/key_vault_secret.html and Kubernetes secrets https://www.terraform.io/docs/providers/kubernetes/r/secret.html Terraform supports both azure key vault secret https://www.terraform.io/docs/providers/azurerm/r/key_vault_secret.html and Kubernetes secrets https://www.terraform.io/docs/providers/kubernetes/r/secret .html

You can simply import the key vault secret and use it in the k8s secret.您可以简单地导入密钥库机密并在 k8s 机密中使用它。 Every time you update the key vault secret, you apply the changes with Terraform.每次更新密钥保管库机密时,都会使用 Terraform 应用更改。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 未在 kubernetes 中获取 Hashicorp 保险库机密 - Hashicorp vault secrets not fetched in kubernetes HashiCorp Vault 用于填充 kubernetes 的秘密 - HashiCorp Vault to populate kubernetes secrets 如何注入保险库并使用 hashcorp 保险库秘密? - How to inject vault and consume hashicorp vault secrets? 如何将密钥从保险库注入 Kubernetes pod - How to inject secrets from vault to Kubernetes pods 从 hashcorp vault 填充 kubernetes Configmap - Populate kubernetes Configmap from hashicorp vault 从 hashcorp vault 填充 kubernetes configmap - From hashicorp vault populate kubernetes configmap Hashicorp Vault作为Kubernetes上的StatefulSet - Hashicorp Vault as a StatefulSet on Kubernetes 如何将保管库机密添加到 kubernetes env vars? - How to add vault secrets to kubernetes env vars? 当 vault 部署在专用集群上时,如何从另一个 kubernetes 集群访问 vault 机密? - How to access vault secrets from another kubernetes cluster when vault is deployed on a dedicated cluster? 一般讨论:Kubernetes 和 Azure Key Vault 的 CSI 驱动程序与在 Memory 中保密 - General Discussion: CSI Driver for Kubernetes and Azure Key Vault vs keeping Secrets in Memory
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM