The Wayback Machine - https://web.archive.org/web/20220722170210/https://github.com/stakater/Reloader/issues/185
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets in External Store #185

Open
consult-kk opened this issue Dec 16, 2020 · 15 comments
Open

Secrets in External Store #185

consult-kk opened this issue Dec 16, 2020 · 15 comments
Labels
good first issue kind/enhancement workflow/todo

Comments

@consult-kk
Copy link

@consult-kk consult-kk commented Dec 16, 2020

Hi,
This is a useful tool for any DevOps/SRE teams managing K8S clusters and apps.
One question though, will this be able to detect changes to Secrets stored in an external store like the GoDday one or the HashiCorp Vault.
thanks,
KK
@faizanahmad055
Copy link
Contributor

@faizanahmad055 faizanahmad055 commented Dec 16, 2020

No, currently reloader doesn't support this, reloader can only detect secrets within the cluster. But this sounds like a really good thing to have. Would you like to open a PR for this :)
@consult-kk
Copy link
Author

@consult-kk consult-kk commented Dec 17, 2020

No, currently reloader doesn't support this, reloader can only detect secrets within the cluster. But this sounds like a really good thing to have. Would you like to open a PR for this :)

I am not a Golang developer, else would have tried a few things. But I would think this should not be too difficult since the kube api server can still provide info regarding the secrets as it will have knowledge about it. Only the data store is external. You could probably grab some event from the kube api server to achieve this.
@rasheedamir
Copy link
Member

@rasheedamir rasheedamir commented Feb 8, 2021

@consult-kk we are planning to add support for Hashicorp Vault!
@rasheedamir rasheedamir added good first issue kind/enhancement workflow/todo labels Feb 8, 2021
@stephenh1991
Copy link

@stephenh1991 stephenh1991 commented Mar 12, 2021

Hey 👋 I'm happy to have a go at this as we have a requirement for this and we already use reloader (great tool btw!). Do you have any ideas on a rough implementation?
@RichiCoder1
Copy link

@RichiCoder1 RichiCoder1 commented Apr 11, 2021

For people interested in this, unless you're married to the Vault API either https://github.com/external-secrets/kubernetes-external-secrets or https://github.com/kubernetes-sigs/secrets-store-csi-driver + https://www.vaultproject.io/docs/platform/k8s/csi might be a more robust solution that doesn't add potentially fragile/unmaintained code
@kenans
Copy link

@kenans kenans commented Jul 20, 2021

Agreed with @RichiCoder1. Wonder if there's any plan to support the Secret store CSI driver, such as the Azure KeyVault implementation?
@faizanahmad055
Copy link
Contributor

@faizanahmad055 faizanahmad055 commented Jul 30, 2021

Support for the Secret store CSI driver is indeed a good addition and we are planning to add similar in the future. We also welcome the community contributions via Pull Requests
@salecharohit
Copy link

@salecharohit salecharohit commented Jan 21, 2022

Totaly agree with @RichiCoder1 to have some support for https://github.com/kubernetes-sigs/secrets-store-csi-driver as the secrets-store-csi-driver , when implemented with secrets sync functionality it syncs using a CRD like below

kind: SecretProviderClass
metadata:
  name: nginx-deployment-aws-secrets
spec:
  provider: aws
  parameters:
    objects: |
        - objectName: "MySecret"
          objectType: "secretsmanager"

Hence using Reloader we have no way to tag/annotate the specific secret. So in addition to configmaps and secrets if you could add SecretProviderClass it'll be of massive help.
@ericmeadows
Copy link

@ericmeadows ericmeadows commented Mar 6, 2022

We use https://github.com/external-secrets/kubernetes-external-secrets and it works great
@LO764640
Copy link

@LO764640 LO764640 commented May 17, 2022

Hi Has this been implemented yet ?
@domeales-paloit
Copy link

@domeales-paloit domeales-paloit commented Jun 24, 2022

Hi folks,

I am using https://external-secrets.io/v0.5.7/ and it is updating my Secret resources when the underlying AWS SecretsManager secret values are updated.

I am attempting to integrate this with Reloader. I have added the reloader.stakater.com/auto: "true" annotation to my Deployment and when External Secrets update my Secret the Deployment pods are not restarting (as expected).

Am I missing something here?

Cheers
@domeales-paloit
Copy link

@domeales-paloit domeales-paloit commented Jun 24, 2022

@ericmeadows Can you explain how it is working for you? Are you using reloader.stakater.com/auto: "true" on Deployment resources?
@ericmeadows
Copy link

@ericmeadows ericmeadows commented Jun 24, 2022

@domeales-paloit
Copy link

@domeales-paloit domeales-paloit commented Jun 24, 2022

@ericmeadows yeah ExternalSecrets is great. I would like to get it working with Reloader if possible. I suspect the way that ExternalSecrets is updating the secrets is not triggering an event in Reloader.

Thanks anyway
@domeales-paloit
Copy link

@domeales-paloit domeales-paloit commented Jun 27, 2022

Scratch that, it seems that Reloader is working with ExternalSecrets, perhaps it just has a delay. 👍
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue kind/enhancement workflow/todo
11 participants
@salecharohit @RichiCoder1 @rasheedamir @kenans @stephenh1991 @ericmeadows @faizanahmad055 @consult-kk @LO764640 @domeales-paloit and others