-
Notifications
You must be signed in to change notification settings - Fork 880
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Support Configuration of Vault Proxy #929
Comments
To clarify, is this a request for improved support using the proxy within the sidecars that Agent injector creates (i.e. one proxy per pod), or for deploying the proxy as a separate deployment (i.e. one proxy per cluster)? It sounds like the latter? |
Hi @tomhjp, good question. I'm not entirely sure which things happens at the moment as the lines between Vault Proxy and Vault Agent API Proxy seem somewhat blurred a bit. To double check, the sidecars that the Agent Injector creates, is this using any now deprecated capability? Or is it already using Vault Proxy? |
Vault Proxy (new in 1.14.0) and Vault Agent API Proxy (deprecated but unchanged as of 1.14.0) are currently the same thing. The former is the new home for that functionality and may diverge from the latter in future releases, and the latter is staying in place for a while for backwards compatibility (although I'm not sure on timelines, so I can't comment on what "a while" translates to). It's possible to use the Agent Injector to create an Agent sidecar running the Agent API Proxy, but injector mostly focuses on the templating use case. What kind of pattern would you like to use the Vault Proxy for? Would love to hear more about your requirements, and I've also forwarded this issue onto the team that owns Vault Proxy. |
@tomhjp Ahh if they're the same thing at the moment, then the current Helm Chart should be fine until there's a divergence in the underlying functionality within Vault for the API Proxy and the new Vault Proxy. For my use case we are running the Vault Agent sidecar (with the Init container also) for two use cases:
For us, we were just double checking whether there was any change in the Helm Chart that we needed to make in order to accommodate the change from I guess the only thing to note for the Vault Helm Chart is just to ensure that this Chart understands when the divergence happens, and to ensure that we can set the correct values to ensure things continue working. |
Thanks for the information! That's super helpful context. We'll definitely keep this kind of use-case in mind as we make changes. The Vault Proxy roadmap is still forming, and as we get a clearer view of how that shapes up down the road we'll get a better idea of how vault-helm and friends should leverage it. We're very cognisant of the impact breaking changes have, so if we do plan any we'll endeavour to share them ahead of time as well as making them nice and clear in the changes section of the Vault and vault-helm changelogs. But I'm hoping we'll be able to maintain compatibility from a vault-helm perspective if we ever do need to switch its usage between the two. |
I think that means there's nothing to implement (yet) for this feature? I'll close it for now, but feel free to re-open if I've missed something, and thanks again for sharing your usage - it's super helpful input for our roadmap. |
Yep sounds great, thanks @tomhjp ! I think this issue will provide some context for those who are also worried about the deprecation which is good! |
As release 1.14 has deprecated Vault Agent API proxy support we want to be able to configure the new Vault Proxy using the Helm Chart. Currently I cannot see any mentioned of proxy in the Values file leading me to believe it's currently not possible to configure yet.
The text was updated successfully, but these errors were encountered: