GKE with Hashicorp Vault - Possible to use Google Cloud Run?

1/14/2020

I'm looking into deploying a cluster on Google Kubernetes Engine in the near future. I've also been looking into using Vault by Hashicorp in order to manage the secrets that my cluster has access to. Specifically, I'd like to make use of dynamic secrets for greater security.

However, all of the documentation and Youtube videos that cover this type of setup always mention that a set of nodes strictly dedicated to Vault should operate as their own separate cluster - thus requiring more VMs.

I am curious if a serverless approach is possible here. Namely, using Google Cloud Run to create Vault containers on the fly.

This video (should start at the right time) mentions that Vault can be run as a Deployment so I don't see there being an issue with state. And since Google mention that each Cloud Run service gets its own stable HTTPS endpoint, I believe that I can simply pass this endpoint to my configuration and all of the pods will be able to find the service, even if new instances are created. However, I'm new to using Kubernetes so I'm not sure if I'm entirely correct here.

Can anyone with more experience using Kubernetes and/or Vault point out any potential drawbacks with this approach? Thank you.

-- mrstack999
containers
google-cloud-run
google-kubernetes-engine
hashicorp-vault
kubernetes

1 Answer

1/15/2020

In beta since 3 weeks, and not officially announced (It should be in a couple of days) you can have a look to secret-manager. It's a serverless secret manager with, I think, all the basic requirements that you need.

The main reason that it has not yet announced, it's because the client library in several languages aren't yet released/finished

The awesome guy on your video link, Seth Vargo, has been involved in this project.

He has also released Berglas. It's write in Python, use KMS for ciphering the secret and Google Cloud Storage for storing them. I also recommend it.

I built a python library to easily use Berglas secret in Python.

Hope that this secret management tool will meet your expectation. In any case, it's serverless and quite cheap!

-- guillaume blaquiere
Source: StackOverflow