This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Using Azure Key Vault or Hashicorp Vault to store Apigee Hybrid secrets

Posted on 06-24-2021 09:08 PM
varunrajbhat
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We are currently using terraform for deploying Apigee Hybrid on AKS cluster. We create the service account keys as per the documentation:https://cloud.google.com/apigee/docs/hybrid/v1.4/2-5-install-service-accounts  and store the certs and keys in Azure vault . They are retrieved during the build time and are passed to the overrides.yaml file. This approach will require us to run the build pipeline to update the certs or keys. We wanted to use Azure Key Vault provider for Secrets Store CSI driver to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. Can the Apigee Hybrid be configured to read secrets from vault during runtime?

Anyone who has access to the cluster can view the secrets. Is there a config change we can make to make it more secure ?

0 1 807
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Apigee hybrid does not support Kubernetes Secret Store CSI Drivers at the moment. Consider using a controller like External Secrets to provision Kubernetes secrets from Azure KV or Hashicorp Vault.   

Please use Kubernetes RBAC to ensure users do not have access to view Secrets 

0 Likes