![(please configure the [header_logo] section in trac.ini)](/chrome/site/your_project_logo.png){kind=logo}
#122 closed enhancement (fixed)
Setup OpenBao for k8s secrets
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Infrastructure | Keywords: | |
| Cc: | finn@… |
Description (last modified by )
This is a task to setup OpenBao in such a way that it can be easily used to access secrets in k8s. There are a number of outstanding questions to answer before this is applied to the live cluster:
- How do secrets get created?
- Generated random strings
- Human provided strings
- Web UI is supposed to be the answer here, but that doesnt seem to be available in the stock container images
- We can roll our own images for now
- Web UI is supposed to be the answer here, but that doesnt seem to be available in the stock container images
- Integrated external systems
- Keycloak OIDC client secret?
- How do pods read secrets?
- OpenBao Secrets Operator - is this any good?
- sidecar agent - seems resource intensive
- csi provider - seems limited, can't set envrionment variables
- external secrets operator yet another operator :/ - but none of the other options actually work in OpenBao yet! so this is what we're using.
Change History (5)
comment:1 by , 8 months ago
| Status: | assigned → accepted |
|---|
comment:2 by , 8 months ago
| Description: | modified (diff) |
|---|
comment:3 by , 7 months ago
comment:4 by , 7 months ago
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
comment:5 by , 7 months ago
| Description: | modified (diff) |
|---|
Note:
See TracTickets
for help on using tickets.
This is completed as of https://git.devhack.net/devhack/core-infra/commit/01c9ab135f418188f7ab5582887d7310222d2b21