snippetkubernetesMinor
How to use Hashicorp Vault with NodeJS application?
Viewed 0 times
applicationhashicorpvaultwithnodejshowuse
Problem
I have Node JS app inside pods, which needs to read vault secrets.
So far I found 2 methods for doing that
For (1) I found this article, where the author is considering it as not secure and complex.
Secrets mounted as volumes are unwieldy—secrets can be stored as
environment variables or mounted as a volume. The former technique is
widely agreed to be less secure. If you opt for volumes, things
quickly get complex when you have a large number of keys. Kubernetes
creates one file per key, and you need to read all these files from
within the application. There are workarounds, but they can be equally
complex.
For the (2) I am not sure how to automatically unseal and obtain initial tokens without using Amazon secrets or other services. Of course I can't hard code initial token or
So far I found 2 methods for doing that
- Using init container to mount secrets as .txt files and read/parse them in my app
- Using node-vault connect to vault server directly and read secrets, which requires initial token
For (1) I found this article, where the author is considering it as not secure and complex.
Secrets mounted as volumes are unwieldy—secrets can be stored as
environment variables or mounted as a volume. The former technique is
widely agreed to be less secure. If you opt for volumes, things
quickly get complex when you have a large number of keys. Kubernetes
creates one file per key, and you need to read all these files from
within the application. There are workarounds, but they can be equally
complex.
For the (2) I am not sure how to automatically unseal and obtain initial tokens without using Amazon secrets or other services. Of course I can't hard code initial token or
roll_id/secret_id. What is the typical way of obtaining and passing initial token to the pods?Solution
As the Linux philosophy says:
Make each program do one thing well
So it's worth it to use the vault agent, cause it's doing well what it would be done.
You can find an awesome example here
Make each program do one thing well
So it's worth it to use the vault agent, cause it's doing well what it would be done.
You can find an awesome example here
Context
StackExchange DevOps Q#13445, answer score: 1
Revisions (0)
No revisions yet.