SOPS: Add support for HashiCorp Vault token-based authentication #538
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
souleb
force-pushed
the
issue-516
branch
3 times, most recently
from
18665cf
to
7763f50
Compare
stefanprodan
added
area/sops
stefanprodan
changed the title
stefanprodan
changed the title
hiddeco
reviewed
Jan 18, 2022
hiddeco
reviewed
Jan 18, 2022
|
@hiddeco I have checked the Azure Vault PR. We should probably make the |
24 tasks
hiddeco
reviewed
Jan 19, 2022
souleb
force-pushed
the
issue-516
branch
2 times, most recently
from
4f64515
to
e1b0f68
Compare
stefanprodan
requested changes
Jan 19, 2022
If implemented, the kustomize controller will be able to retrieve a secret containing a VAULT TOKEN and use it to decrypt the sops encrypted master key. It will then use it to decrypt the data key and finally use the data key to decrypt the final data. Signed-off-by: Soule BA <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #516
If implemented, the kustomize controller will be able to retrieve a secret containing a VAULT TOKEN and use it to decrypt the sops encrypted master key. Which will then be used to decrypt the data key that will decrypt the final data.
The kustomize-controller retrieve the secret specified in the kustomization in the same namespace. We keep the behaviour set by age and pgp decryption.
In case a token does not exist for a HashiCorp vault encrypted token, we fall back to the default server to try decrypting/encrypting the data. This will preserve the behaviour for customer relying on VAULT_TOKEN env var.
Signed-off-by: Soule BA [email protected]