How to create a kubernetes secret using Spinnaker and Hashicorp Vault

8/13/2020

We have a whole bunch of secrets on our Hashicorp Vault server. We have started testing out spinnaker for deploying on Kubernetes but I do not see any documentation around how to create a secret on kubernetes reading from Hashicorp Vault.

Can someone point me in the right direction for this? Is it even advisable to create secrets using Spinnaker or should we just use it strictly for deployments?

-- Aditya Patawari
hashicorp-vault
kubernetes
spinnaker

1 Answer

8/13/2020

The problem with creating secret via spinnaker is that where do you keep the content of the secret in the first place to be able to create a secret from it. Wherever you keep it it introduces a risk of compromise. So I would suggest to create the secret dynamically at runtime using a sidecar injector.

HashiCorp Vault sidecar injector agent is a tool that can be used for this purpose. The injector is a Kubernetes Mutation Webhook Controller. The controller intercepts pod events and applies mutations to the pod if annotations exist within the request.

Since the secret gets injected directly into the pod as VolumeMounts from the Vault Server the chance of compromise is less compared to creating a secret via Spinnaker

-- Arghya Sadhu
Source: StackOverflow