If we are creating a separate service account for RGW, I would first make a PR to do that separately from this.

@leseb do you know if this is going to double the resource requests limits of the RGW pod?

Can we do this as an init container instead of a sidecar to reduce resource usage?

@BlaineEXE : Here RGW needs to send the request to vault-agent for fetching the key instead of vault-server so this need to up and running. Can we set a limit on the resources for sidecar containers??

You are already setting resources for the sidecar here: https://github.com/rook/rook/pull/9872/files/5f71a8171c0048e777ebe60d24348cb7bbeb8d36#r827487726

But I am almost certain the vault agent doesn't need to have the same resource reservation as the RGW.

Sure I will change that into minimal

Instead of hard-coding vault support into Rook, can we start suggesting that users use the vault agent injector? https://www.vaultproject.io/docs/platform/k8s/injector and possibly supplying lighter-weight options for RGW pods to get the secret from some location that is determined by the injector?

I think it is pretty cumbersome for us to always be trying to play catch-up to support this or that key management service when I think there must be a better way by now.

@leseb ?

If I understand correctly, the Vault agent injector directly injects secrets(keys stored) from the vault server to the application pod, which is not required by RGW. RGW sends curl requests to fetch secrets from the vault and the s3 client currently send the request with key name, both do not need to mount the encryption key value mounted as a file in the pod.
RGW uses vault agent as authentication mechanism with vault server so that it gets different flavours of authentication(initially it only support token-based in which token is hardcoded into the file and that path provided in RGW config)

Can RGW not be given commandline options to read secrets from a local file?
Does RGW specifically support vault, or does the secret fetching code apply to any key value store?

My concern is that there are many different key value stores other than vault, and I don't think Rook should be in the business of hard-coding sidecars for myriad different KMSes if we can implement a more robust solution that will work more broadly.

We unfortunately already have this trend implemented for OSDs, and we are seeing requests to add support for more and more KMS integrations. I don't think this is a catch-up game we should really be playing.

This PR (and this specific commit) are one example of the effort needed today. It also showcases that there may be a method we can use for the implementation that is broadly applicable rather than KMS-specific. #9325 (comment)

Can RGW not be given commandline options to read secrets from a local file?
With current code, it is not possible it HTTP request using libcurl to fetch token from the vault server

Does RGW specifically support vault, or does the secret fetching code apply to any key value store?

For KMS RGW supports vault(supported in downstream as well commonly used I guess), KIMP and barbarian(not tested I guess)

My concern is that there are many different key value stores other than vault, and I don't think Rook should be in the business of hard-coding sidecars for myriad different KMSes if we can implement a more robust solution that will work more broadly.

Currently, I guess sidecar is required for vault, for other implementations RGW is taking directly with KMS server

We unfortunately already have this trend implemented for OSDs, and we are seeing requests to add support for more and more KMS integrations. I don't think this is a catch-up game we should really be playing.

Even I am not sure whether we can have generic solution since each KMS server has their own configuration

This PR (and this specific commit) are one example of the effort needed today. It also showcases that there may be a method we can use for the implementation that is broadly applicable rather than KMS-specific. #9325 (comment)

Currently, I guess sidecar is required for vault, for other implementations RGW is taking directly with KMS server

Can the RGW be configured to communicate with the vault server directly instead of requiring the sidecar? Or is the vault agent also a requirement in non-containerized Ceph installs?

From reading the Ceph docs, it seems like RGW can contact the vault server directly, so I'm curious why we need the agent in Rook if RGW can just connect directly.
https://docs.ceph.com/en/latest/radosgw/vault/#token-authentication

Currently, I guess sidecar is required for vault, for other implementations RGW is taking directly with KMS server

Can the RGW be configured to communicate with the vault server directly instead of requiring the sidecar? Or is the vault agent also a requirement in non-containerized Ceph installs?
@BlaineEXE : Yes and this is already implemented for the Rook as well. Vault is agent is recommended and from RHCS 5.x only vault agent is supported AFAIR

From reading the Ceph docs, it seems like RGW can contact the vault server directly, so I'm curious why we need the agent in Rook if RGW can just connect directly. https://docs.ceph.com/en/latest/radosgw/vault/#token-authentication

Vault agent is used for service account-based authentication which is already supported in OSD and ceph-csi etc.

If the connection details are updated in the object store CR, shouldn't this configmap be updated?

Most likely the RGW pod needs to restart if we update connection details. Otherwise, the sidecar pod does not have the latest details. Apart from config map a lot of environment variables are set for the side car pod based on the connection details

Makes sense to restart the rgw pod if the connection details are updated. But we still need to update the configmap here, right? Or do we also need to trigger an rgw pod restart?

Thanks now I got it, during I need to update the configmap as well, currently only creating the cm. Will update in the next version