Vault Secret Syncer#
Vault Secret Syncer is a Helm chart designed in-house to synchronize secrets from Vault into Kubernetes secrets. While many applications can directly fetch secrets from Vault or use sidecars, there are scenarios requiring secrets to be stored as Kubernetes secrets (e.g., supporting imagePullSecrets). This Helm chart achieves this through a defined Job/CronJob that runs a pod, fetching the secrets and storing them as a Kubernetes secret.
Benefits and Features#
- Streamlines the management of sensitive data in Kubernetes.
- Reduces manual secret management overhead.
- Enhances security by using Vault's secret management capabilities.
- Applications in Kubernetes can securely access credentials, API keys, and other sensitive data without direct Vault interaction.
Pre-requisites#
For fetching secrets from Vault, authentication is essential. This chart uses the Kubernetes auth method for Vault authentication. Therefore, a corresponding Vault role, assumed by the ServiceAccount created by this chart, should be defined.
Configuration#
While the default values.yaml contains numerous defaults, certain specifics need user input. Below are essential configuration parameters. More overrides are present in the values.yaml.
| Parameter | Description | Default |
|---|---|---|
serviceAccount.name |
Name of the service account. | "vault-secret-syncer" |
serviceAccount.create |
Whether to create the service account. If false, it should pre-exist with necessary RBAC. | true |
configMap.name |
"vault-secret-syncer-files" | |
job.image |
"code.vt.edu:5005/it-common-platform/tenant-support/images/aws-kubectl:latest" | |
cronJob.schedule |
How often to refresh the secret from Vault. | "0 3 * * *" |
vault.address |
"https://vault.es.cloud.vt.edu:8200" | |
vault.authPath |
One of platform-prod, platform-pprd, platform-op-prod, platform-op-pprd. | "platform-prod" |
vault.role |
The Vault role the Job should assume/authenticate as. | "pipeline-placeholder-role" |
registry |
To sync registry secrets. | [] |
secrets |
To sync generic secrets. | [] |
Usage Links#
-
Code: https://code.vt.edu/it-common-platform/tenant-support/helm-charts/vault-secret-syncer
-
Implementation for eks-cluster: https://code.vt.edu/it-common-platform/infrastructure/eks-cluster/-/blob/main/cluster-bootstrap/platform-helm-repos.tf
Update Concerns#
Critical Concerns#
- Disruptions to Vault Secret Syncer can cause outdated/inaccessible secrets in Kubernetes, impacting services and apps.
General Concerns#
- Ensure Vault's API compatibility with the deployed Vault Secret Syncer version.
- Regularly verify synchronization accuracy between Vault and Kubernetes.
- Monitor deprecations or breaking changes in Vault Secret Syncer's newer versions and strategize upgrades.