Commit e58e544
feat: decrypt secrets at deploy time and create K8s Secrets directly (#5233)
* feat: decrypt secrets at deploy time and create K8s Secrets directly
Replace the Preflight webhook + Inject binary secret injection pipeline
with direct K8s Secret creation at deploy time. Krane now:
- Decrypts encrypted env vars via Vault during ApplyDeployment
- Creates a K8s Secret per deployment with plaintext env vars
- Mounts secrets via envFrom.secretRef (resolved by kubelet)
- Creates per-deployment RBAC (ServiceAccount + Role + RoleBinding)
- Creates a dockerconfigjson pull secret per namespace for Depot auth
- Sets AutomountServiceAccountToken: false on all customer pods
- Drops the Command field (image ENTRYPOINT/CMD runs natively)
- Removes the Inject label (webhook no longer needed)
- Cleans up Secret/SA/Role/RoleBinding on deployment deletion
The legacy SecretsService RPC is kept temporarily for backwards compat.
* cleanup: remove preflight, inject, and secrets provider (#5235)
Delete the entire preflight mutating webhook service, the inject binary
(PID 1 sidecar), and the secrets provider package. These are replaced by
Krane's deploy-time secret decryption and direct K8s Secret creation.
Removed:
- svc/preflight/ (webhook, mutator, registry credentials, cleanup loop)
- cmd/preflight/ (CLI command)
- cmd/inject/ (sidecar binary + Dockerfile)
- pkg/secrets/provider/ (KraneVaultProvider, only used by inject)
- dev/ local setup (Tiltfile, manifests, Dockerfile.inject)
- .github/workflows/release_inject.yaml
- docs/engineering/architecture/services/preflight/
Updated:
- dev/k8s/manifests/rbac.yaml (new RBAC for secrets/SA/roles)
- dev/k8s/manifests/cilium-policies.yaml (removed customer→krane policy)
- dev/k8s/manifests/vector-logs.yaml (updated comment)
- .goreleaser.yaml (removed inject tag ignore)
* cleanup
* fix rabbit comments
* fix rabbit comments
* fix rabbit comments
---------
Co-authored-by: Andreas Thomas <dev@chronark.com>1 parent 739b9c9 commit e58e544
File tree
70 files changed
+443
-3617
lines changed- .github/workflows
- cmd
- inject
- preflight
- run
- dev
- k8s/manifests
- docs/engineering/architecture/services/preflight
- gen
- proto/krane/v1
- kranev1connect
- rpc/krane
- pkg/secrets/provider
- svc
- krane
- internal/deployment
- pkg/labels
- proto
- krane/v1
- secrets
- token
- preflight
- internal/services
- cleanup
- mutator
- registry
- credentials
- routes/mutate
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
70 files changed
+443
-3617
lines changedThis file was deleted.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
14 | | - | |
15 | | - | |
16 | | - | |
17 | | - | |
18 | 14 | | |
19 | 15 | | |
20 | 16 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
102 | 102 | | |
103 | 103 | | |
104 | 104 | | |
105 | | - | |
| 105 | + | |
106 | 106 | | |
107 | 107 | | |
108 | 108 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
5 | | - | |
6 | 5 | | |
7 | 6 | | |
8 | 7 | | |
| |||
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
0 commit comments