feat: decrypt secrets at deploy time and create K8s Secrets directly by Flo4604 · Pull Request #5233

feat: decrypt secrets at deploy time and create K8s Secrets directly by Flo4604 · Pull Request #5233 · unkeyed/unkey

This was referenced

Mar 6, 2026

Replace the Preflight webhook + Inject binary secret injection pipeline
with direct K8s Secret creation at deploy time. Krane now:

- Decrypts encrypted env vars via Vault during ApplyDeployment
- Creates a K8s Secret per deployment with plaintext env vars
- Mounts secrets via envFrom.secretRef (resolved by kubelet)
- Creates per-deployment RBAC (ServiceAccount + Role + RoleBinding)
- Creates a dockerconfigjson pull secret per namespace for Depot auth
- Sets AutomountServiceAccountToken: false on all customer pods
- Drops the Command field (image ENTRYPOINT/CMD runs natively)
- Removes the Inject label (webhook no longer needed)
- Cleans up Secret/SA/Role/RoleBinding on deployment deletion

The legacy SecretsService RPC is kept temporarily for backwards compat.

Delete the entire preflight mutating webhook service, the inject binary
(PID 1 sidecar), and the secrets provider package. These are replaced by
Krane's deploy-time secret decryption and direct K8s Secret creation.

Removed:
- svc/preflight/ (webhook, mutator, registry credentials, cleanup loop)
- cmd/preflight/ (CLI command)
- cmd/inject/ (sidecar binary + Dockerfile)
- pkg/secrets/provider/ (KraneVaultProvider, only used by inject)
- dev/ local setup (Tiltfile, manifests, Dockerfile.inject)
- .github/workflows/release_inject.yaml
- docs/engineering/architecture/services/preflight/

Updated:
- dev/k8s/manifests/rbac.yaml (new RBAC for secrets/SA/roles)
- dev/k8s/manifests/cilium-policies.yaml (removed customer→krane policy)
- dev/k8s/manifests/vector-logs.yaml (updated comment)
- .goreleaser.yaml (removed inject tag ignore)

Flo4604 marked this pull request as ready for review

March 9, 2026 12:53

Flo4604 deleted the feat/krane-direct-secrets branch

March 9, 2026 16:56