Description
For our work with IFRC, we are required to store all secrets in Azure Secrets Vault and the pattern we use on other deploys, is to use a SecretProviderClass to map these secrets to a k8s Secret object. For eg. https://github.com/IFRCGo/montandon-etl/blob/develop/helm/templates/config/secrets_provider_class.yaml
For our eoapi-k8s deploy, we want to use Azure Managed Postgres, and then pass the credentials for the database in this way.
To make this work, I would:
- Add an optional values item like
.Values.azure.aksSecretsProviderAvailableand if it is specified astrue, allow specifying of thekeyvaultdetails like so: https://github.com/IFRCGo/go-deploy/blob/develop/applications/argocd/staging/applications/montandon-etl.yaml#L58 - Add a
SecretProviderClasssimilar to https://github.com/IFRCGo/montandon-etl/blob/develop/helm/templates/config/secrets_provider_class.yaml where if the secret provider is available, maps it to the Secret object thateoapi-k8sexpects for the database config.
This is a bit cloud-provider specific, but of course, you'd be able to totally ignore it if you are not using Azure / Keyvault. Am not sure, but perhaps other cloud providers have similar ways to map secrets from a "vault" to a k8s Secret object, and we can add those conditionals down the line if it seems useful.
This is all seems a bit non-ideal, but this seems like one way to unblock us.
Would love to hear any thoughts / concerns, @pantierra @emmanuelmathot @ividito @geohacker