I would like to use Vault as source of secret for my Kubernetes cluster. I have read this awesome post https://arslan.io/2018/06/21/how-to-write-a-container-storage-interface-csi-plugin/ post by @fatih . I understand the overall process. I would like to implement a tmpfs based volume like Secrets that provision secrets using Vault.
Few things that are not clear to me:
-
How do I use the service account from the Pod where this Volume is mounted to issue the secret ? This will ensure authZ at Vault level.
-
Vault secrets come with a ttl. So, we need to periodically refresh the secret. I would like to do this via Node plugin instead of a sidecar. I got too many side cars already and not enough room for real applications.
Is this something that will be possible as a CSI driver?
/kind feature
/sig storage
cc: @saad-ali
I would like to use Vault as source of secret for my Kubernetes cluster. I have read this awesome post https://arslan.io/2018/06/21/how-to-write-a-container-storage-interface-csi-plugin/ post by @fatih . I understand the overall process. I would like to implement a
tmpfsbased volume likeSecretsthat provision secrets using Vault.Few things that are not clear to me:
How do I use the service account from the Pod where this Volume is mounted to issue the secret ? This will ensure authZ at Vault level.
Vault secrets come with a ttl. So, we need to periodically refresh the secret. I would like to do this via Node plugin instead of a sidecar. I got too many side cars already and not enough room for real applications.
Is this something that will be possible as a CSI driver?
/kind feature
/sig storage
cc: @saad-ali