Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support Configuration of Vault Proxy #929

Closed
ChrisJBurns opened this issue Jul 26, 2023 · 7 comments
Closed

feat: Support Configuration of Vault Proxy #929

ChrisJBurns opened this issue Jul 26, 2023 · 7 comments
Labels
enhancement New feature or request

Comments

@ChrisJBurns
Copy link

As release 1.14 has deprecated Vault Agent API proxy support we want to be able to configure the new Vault Proxy using the Helm Chart. Currently I cannot see any mentioned of proxy in the Values file leading me to believe it's currently not possible to configure yet.

@ChrisJBurns ChrisJBurns added the enhancement New feature or request label Jul 26, 2023
@tomhjp
Copy link
Contributor

tomhjp commented Jul 26, 2023

To clarify, is this a request for improved support using the proxy within the sidecars that Agent injector creates (i.e. one proxy per pod), or for deploying the proxy as a separate deployment (i.e. one proxy per cluster)? It sounds like the latter?

@ChrisJBurns
Copy link
Author

Hi @tomhjp, good question. I'm not entirely sure which things happens at the moment as the lines between Vault Proxy and Vault Agent API Proxy seem somewhat blurred a bit. To double check, the sidecars that the Agent Injector creates, is this using any now deprecated capability? Or is it already using Vault Proxy?

@tomhjp
Copy link
Contributor

tomhjp commented Jul 27, 2023

Vault Proxy (new in 1.14.0) and Vault Agent API Proxy (deprecated but unchanged as of 1.14.0) are currently the same thing. The former is the new home for that functionality and may diverge from the latter in future releases, and the latter is staying in place for a while for backwards compatibility (although I'm not sure on timelines, so I can't comment on what "a while" translates to).

It's possible to use the Agent Injector to create an Agent sidecar running the Agent API Proxy, but injector mostly focuses on the templating use case.

What kind of pattern would you like to use the Vault Proxy for? Would love to hear more about your requirements, and I've also forwarded this issue onto the team that owns Vault Proxy.

@ChrisJBurns
Copy link
Author

@tomhjp Ahh if they're the same thing at the moment, then the current Helm Chart should be fine until there's a divergence in the underlying functionality within Vault for the API Proxy and the new Vault Proxy.

For my use case we are running the Vault Agent sidecar (with the Init container also) for two use cases:

    • To act as a proxy for our Java applications that use the Spring Cloud Vault library with Agent authentication. The secrets are sourced at start time and all proxying and authn/z is done via the agent sidecar (which is incredibly handy).
    • We use the Agent and the Init Container to inject secrets (based on annotations via the templating) into the main application container. This is for applications that do not have a Vault library that we can utilise like in use case 1.

For us, we were just double checking whether there was any change in the Helm Chart that we needed to make in order to accommodate the change from 1.13.2 to 1.14.0, but as you've said, it should be the same for now and we should keep an eye out for future minor releases to ensure we're aware of when the divergence is.

I guess the only thing to note for the Vault Helm Chart is just to ensure that this Chart understands when the divergence happens, and to ensure that we can set the correct values to ensure things continue working.

@tomhjp
Copy link
Contributor

tomhjp commented Jul 31, 2023

Thanks for the information! That's super helpful context. We'll definitely keep this kind of use-case in mind as we make changes. The Vault Proxy roadmap is still forming, and as we get a clearer view of how that shapes up down the road we'll get a better idea of how vault-helm and friends should leverage it.

We're very cognisant of the impact breaking changes have, so if we do plan any we'll endeavour to share them ahead of time as well as making them nice and clear in the changes section of the Vault and vault-helm changelogs. But I'm hoping we'll be able to maintain compatibility from a vault-helm perspective if we ever do need to switch its usage between the two.

@tomhjp
Copy link
Contributor

tomhjp commented Jul 31, 2023

I think that means there's nothing to implement (yet) for this feature? I'll close it for now, but feel free to re-open if I've missed something, and thanks again for sharing your usage - it's super helpful input for our roadmap.

@tomhjp tomhjp closed this as completed Jul 31, 2023
@ChrisJBurns
Copy link
Author

Yep sounds great, thanks @tomhjp ! I think this issue will provide some context for those who are also worried about the deprecation which is good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants