EnvVar usecase
Opened this issue · 1 comments
Would it be possible to use/extend this controller to support the following usecase?
I want to use secrets from Vault as environment variables of my containers.
My idea was to use an init-container that extracts secrets from Vault and somehow pass those secrets as environment variables to the "normal" containers of the pod.
I've implemented this in Vault-monkey (the tool I already use for extracting vault secrets, see pulcy/vault-monkey#4). It can extract secrets to file (which is no problem with a memory backed emptyDir volume), but extracting it to environment variables in an issue because I cannot find something similar to dockers --env-file option.
So as a temporary solution I ended up extracting secrets from vault, storing them in a K8S secret which in then mapped into the container as environment variable. Of course that exposes secrets in the K8S api server, which I would like to avoid.
Would this controller have a way to solve this use case?
Could an entry point for each container in the pod know to look for secrets in a well-known place? I did this in the past and it seemed to work okay, but you had to manage an entrypoint for each of your containers, but we included that in our base image.