Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kind:VSecMSecret #1171

Open
v0lkan opened this issue Oct 15, 2024 · 1 comment
Open

kind:VSecMSecret #1171

v0lkan opened this issue Oct 15, 2024 · 1 comment
Assignees
@v0lkan
Labels
enhancement New feature or request v0.29.0-candidate

Comments

@v0lkan
Copy link
Contributor

v0lkan commented Oct 15, 2024

We need a custom resource that can pull from a local (in-cluster) or external (federated cluster) VSecM and generate a Kubernetes Secret.

The Operator that does it will have a special clusterSPIFFEID and it would be able to securely talk to a VSecM Safe that it's configured to talk to as if it is VSecM Sentinel.

The interaction between the operator and VSecM Safe will be doubly encrypted since the secrets might be passing across the wire too.

apiVersion: vsecm.com/v1alpha1
kind: VSecMSecret
metadata:
  name: database-credentials
  vsecmSafeURL: https://path/to/vsecm/safe/api/endpoint
  secretType: k8s|vsecm
spec:
  refreshInterval: 1h    
  target:
    name: database-credentials  # name of the k8s Secret to be created
  data:
    - key: username
      ref: "databaseCredentials.cocaCola.data.username"
    - key: password
      ref: "databaseCredentials.cocaCola.data.password"
  labels:
    - key: app
      ref: databaseCredentials.cocaCola.labels.app
  annotations:
    - key: env
      ref: databaseCredentials.cocaCola.annotations.env

Note: this means, we might not need the VSecM Relay Client and VSecM Relay Server, especially for use cases that require creation of Kubernetes Secrets only.

Note++: If the remote cluster has VSecM installed, we can also create VSecM Secrets there.
@v0lkan v0lkan self-assigned this Oct 15, 2024
@v0lkan v0lkan added enhancement New feature or request v0.29.0-candidate labels Oct 15, 2024
@v0lkan
Copy link
Contributor Author

v0lkan commented Oct 16, 2024

From the dupe story:

thinking out loud:
This is a custom resource that can act as if you are using VSecM Sentinel; ideally it will talk to VSecM Sentinel since sentinel is the only entry point to the system.

It would be visible only to cluster admins;
it would reconcile whatever the VSecMSecret defines as a command.

In practice a VSecMSecret will create either a secret in VSecM Safe, or on Kubernetes, or both.

If the secret exists, it will update it;
if it does not, it will create it.

when the secret is changed by someone else, it will reconcile the secret back to its former value.

Of course, the security of VSecMSecret will be paramount in this case.

This will be an optional feature (as it might impact, and maybe even reduce) the security of the overall system, while increasing convenience.

This needs a careful design, and a technical spec before starting the coding work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v0lkan v0lkan

Labels
enhancement New feature or request v0.29.0-candidate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@v0lkan