I have integrated my AKS cluster with Azure Keyvault CSI Driver for secrets storage.
Now, after I have configured this (volume mounts in the elasticSearch yaml specs), the creation of a new ElasticSearch resource still creates the secrets (eg elastic username/pass) in the k8s secrets in plaintext (base64 encoded) and not the keyvault
How can I make elastic use the Azure Keyvault CSI driver to store secrets and not the default k8s secrets?
How can I make elastic use the Azure Keyvault CSI driver to store secrets and not the default k8s secrets?
As far as I understand, Azure Keyvault CSI driver doesn't allow to write secret from Kubernetes to the Azure Key Vault instance. It only works the other way around, secrets are retrieved from Vault and then can be used in Kubernetes.
Also, I'm not sure how it is relevant for internal secrets managed by the operator to be stored in Azure Keyvault. This seems more relevant for secrets you provide to your cluster such as secrets to define users and roles. In that case, you might be interested in syncing mounted content with Kubernetes secret.
Thanks for the response.
Here is a bit more detail:
There are secrets "created" by the eck setup as follows:-
namespace: elastic-system
Secrets:
default-token-9q898
elastic-operator-token-pnl5n
elastic-webhook-server-cert
new "Elasticsearch" resource secrets -
quickstart3-es-http-ca-internal
quickstart3-es-http-certs-internal
quickstart3-es-http-certs-public
quickstart3-es-default-es-config
quickstart3-es-default-es-transport-certs
quickstart3-es-elastic-user
quickstart3-es-internal-users
quickstart3-es-remote-ca
quickstart3-es-transport-ca-internal
quickstart3-es-transport-certs-public
quickstart3-es-xpack-file-realm
eck0-quickstart3-kibana-user
quickstart3-kb-es-ca
quickstart3-kibana-user
quickstart3-kb-http-ca-internal
quickstart3-kb-config
quickstart3-kb-http-certs-internal
quickstart3-kb-http-certs-public
It is clear that the azure keyvault CSI drver can be used to only "read" secrets from the keyvault.
However, the secrets I mentioned above are created by the eck instance installation.
Can these secrets be secured/encrypted in some way?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.