Liqo integration with external secrets manager

[marcodc-tim]

Describe the problem you are having (if any)

Currently, WireGuard key pairs and provider kubeconfigs are stored as Kubernetes Opaque Secrets. This requires manual creation and management steps, introduces operational overhead, and may not meet security policies that require centralized secret lifecycle controls and auditing.

Describe the solution you would like

Integration with external secret management systems such as HashiCorp Vault to automatically generate, rotate, and retrieve WireGuard keys and provider kubeconfigs without manual secret management.

Describe the user value of this feature

This would improve security posture, allow compliance with enterprise secret-management policies and reduce risk associated with poor key rotation or distribution practices.

Describe your proposed solution

Implement an optional backend integration that allows Liqo to:

• manage WireGuard key material via Vault or other CSI-compatible secret stores,
• manage remote kubeconfig credentials securely,
• optionally support automated key rotation flows.

Do you volunteer to implement this feature?

• I want to implement this feature

Code of Conduct

• I agree to follow this project's Code of Conduct

[cheina97]

This sounds like an enterprise feature and I'm not sure there will be space for it in our open-source roadmap, but never say never. I have no experience with Vault, but from what I know it should be enough to allow custom annotations on the pods which need the secrets + allow to specify the path of the secret inside the pod, right?

[cheina97]

Instead, about the secret creation and refresh performed by Liqo, I think the only solution should be to inject a vault client inside liqo pods, or you know if some secret manager agnostic solution exist? Like a webhook getting the secret creation and converting it in vault API requests?

[likakuli]

/cc