Ability to read DB secrets from Vault

[pasupulaphani]

Problem:

At the moment, the database URL/password has to be passed through flags or env variables. This is a limiting factor to the architectures that depend on Vault storing the DB creds, Vault rotating the DB creds periodically.

Are there any plans to provide Vault support?

[jon-whit]

@pasupulaphani what kind of environment are you deploying your workloads into (e.g. Kubernetes, Bare EC2, ECS Fargate, Google App engine, etc..)? Let's start there and we can work through the integration experience and use case(s).

We're not opposed to introducing proprietary integrations for widely used patterns/integrations, but we've purposefully avoided custom vendor/cloud integrations because it can be a sink hole (if you support one it can be a slippery slope with supporting others etc..).

Most of the container platforms, including those I enumerated above, have a way to run a sidecar or inject an env variable or volume of some form into a container, and so that usually caters to being able to provide the credentials via flags or env variables etc.. However, I understand not all scenarios are covered with the features included in the various container platforms, and some of those experiences may not be ideal.

Here are some examples of Vault integrations for various container platforms:

• https://developer.hashicorp.com/vault/tutorials/vault-agent/agent-aws-ecs (Vault ECS agent)
• https://developer.hashicorp.com/vault/docs/platform/k8s/injector-csi (Vault Kubernetes agent)
• https://developer.hashicorp.com/vault/docs/platform/k8s/vso (Vault Kubernetes secrets operator)
• etc..