Query: Use of Secrets Store CSI driver provider

[mtcolman]

Hello,

Is it possible to use a Secrets Store CSI driver provider (for example for HashiCorp Vault) to inject the private key for signing, rather than storing it as a Kubernetes secret (as is stated here):

To get started signing things in Chains, you will need to generate a keypair and instruct Chains to sign with it via a Kubernetes secret. Chains expects a private key, and password if the key is encrypted, to exist in a Kubernetes secret signing-secrets in the tekton-chains namespace.

I'm keen to avoid storing any secrets we don't have to as Kubernetes Secrets and so we would like to use Vault + injection into pods where possible.

Thanks!

Matt

[lcarva]

Related to #604 ?

[mtcolman]

@lcarva from what I can decipher on #604, I believe this is different.

[wlynch]

I don't think we support this today, though it wouldn't be too hard to add (we'd just need to add support for reading a key from a file). Main reason we haven't done this is that configuration would require modifying the deployment spec directly + redeployment of the controller, we we suspect most users don't want to do.

For vault in particular, you may want to look into https://github.com/tektoncd/chains/blob/main/docs/signing.md#kms

[mtcolman]

Thanks for your response. Are you please aware of any tutorials or step-by-step guides for using Hashicorp Vault with tekton-chains - I can't see any instructions in the documentation?

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[cooktheryan]

@mtcolman did you have any luck with the configuration

[mtcolman]

@cooktheryan I didn't get round to trying it - I can't find any guidance on how to configure it.

[cooktheryan]

@mtcolman ill keep trying to hack on it. I also opened a documentation RFE

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.