Configure Hashicorp's Vault for Kubernetes Auth
Learn how to configure Vault to utilize the Kubernetes auth method for managing Spinnaker secrets.
Storing SpinnakerTM configs in a git repository is a great solution for maintaining versions of your configurations, but storing secrets in plain text is a bad security practice. If you’re using the Operator to deploy Spinnaker, separating your secrets from your configs through end-to-end secrets management is already supported. If you’re using Halyard, this is supported as of halyard-armory:1.4.1
. All you need to do is replace secrets in the configuration files with the syntax described here, and Spinnaker will decrypt them as needed.
We can now store secrets (tokens, passwords, sensitive files) separately from the Spinnaker configurations. We’ll provide references to these secrets to services that need them.
When referencing string secrets (passwords, tokens) in configs, use the following general format:
encrypted:<secret engine>!<key1>:<value1>!<key2>:<value2>!...
When referencing files, the same parameters are used but with the encryptedFile
prefix:
encryptedFile:<secret engine>!<key1>:<value1>!<key2>:<value2>!...
The keys and values making up the string vary with each secret engine. Refer to the specific documentation for each engine for more information.
This applies to section spec.spinnakerConfig.config
of the SpinnakerService
manifest if using the Operator, or ~/.hal/config
if using Halyard.
Operator and Halyard can understand the secrets you provide. If the service you are deploying is able to decrypt secrets, Operator (or Halyard) will pass the reference directly. Otherwise it will decrypt the configuration before sending it.
For instance, after replacing the GitHub token in our main config with the encrypted syntax:
...
github:
enabled: true
accounts:
- name: github
token: encrypted:s3!r:us-west-2!b:mybucket!f:spinnaker-secrets.yml!k:github.token
...
You find the following in /opt/spinnaker/config/clouddriver.yml
inside clouddriver pod:
...
github:
enabled: true
accounts:
- name: github
token: encrypted:s3!r:us-west-2!b:mybucket!f:spinnaker-secrets.yml!k:github.token
...
And for an older release of Clouddriver that does not support decryption:
...
github:
enabled: true
accounts:
- name: github
token: <TOKEN>
...
You can also provide secret references directly in SpinnakerService
manifest under section spec.spinnakerConfig.profiles
if using the Operator, or in *-local.yml
profile files if using Halyard, as well as directly in Spinnaker services.
Is there a secret engine you’d like us to support? Submit a feature request here!
Learn how to configure Vault to utilize the Kubernetes auth method for managing Spinnaker secrets.
Learn how to set up Spinnaker secrets in HashiCorp Vault.
Learn how to set up Spinnaker secrets in a Kubernetes secret.
Learn how to set up Spinnaker secrets in an encrypted GCS bucket.
Learn how to set up Spinnaker secrets in an encrypted S3 bucket.
Configure the AWS Secrets Manager as a secrets engine for Spinnaker.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.