-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
-
None
Our customer are exploring how the Quay can be enhanced to support integration with the Kubernetes CSI Secrets Store Driver, specifically to allow Quay to consume secrets from external secret management solutions such as HashiCorp Vault.
Currently, the Quay Operator auto-generates and manages portions of the Quay configuration, which are stored as a Kubernetes Secret. This operator-managed secret is injected into the Quay pod, and any manual override or external mutation (e.g., by mounting a secret via CSI) is reverted by the Operator to maintain consistency with its internal managed state.
This tight coupling between the Quay configuration and the Operator presents a challenge when attempting to integrate external secret sources. Even if Vault secrets are mounted into the pod via CSI, the Operator's reconciliation logic will overwrite or ignore them during its reconciliation loop, making direct integration unsustainable without significant changes.
Proposed Enhancement:
We propose the Quay Operator be refactored to decouple sensitive and non-sensitive configuration data, allowing more flexible secret management. Incorporating support for SSCSI (Sidecar Secrets CSI) or similar dynamic secret-mounting mechanisms, enabling runtime injection with HashiCorp Vault and other like it.