[Draft]: CSPL-2600: Integrate HashiCorp Vault Support in Splunk Operator #1388
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This PR introduces the integration of HashiCorp Vault into the Splunk Operator, providing enhanced security and flexibility in managing secrets. Users can now choose between Kubernetes Secrets or HashiCorp Vault for storing and injecting Splunk secrets. Key changes and features include:
Key Features:
Vault Integration in Custom Resource:
VaultIntegration
struct in the Splunk CRD, allowing users to enable Vault integration and specify the Vault role and secret path.enabled
,role
, andsecretPath
to configure Vault usage.Vault Injection Annotations for StatefulSets:
InjectVaultSecret
function to add Vault Agent injector annotations to StatefulSets managed by the Splunk Operator./mnt/splunk-secrets
, consistent with the current Kubernetes Secrets path.Vault Client Integration:
getVaultSecretVersion
) to retrieve the current version of secrets from Vault, ensuring updated secrets are injected.Support for Both Kubernetes Secrets and Vault:
Predefined Vault Keys:
hec_token
,idxc_secret
,pass4SymmKey
,password
, andshc_secret
.How to Test the Changes:
Install and Configure Vault on Kubernetes:
splunk-service-account
).Deploy Splunk Custom Resource:
Test Secret Rotation:
Switch Between Kubernetes Secrets and Vault:
Summary:
This PR significantly enhances the security of Splunk deployments by integrating HashiCorp Vault into the Splunk Operator, allowing users to seamlessly manage secrets using Vault or Kubernetes Secrets. This flexibility provides improved compliance, security, and operational ease.
Verification:
Documentation:
Testing:
Let me know if there are any questions or if further changes are needed!