Skip to content

Annotations

Follow the steps documented below to use annotations to dynamically retrieve secrets from the AWS Secrets Manager. Workloads based on k8s YAML can use the supported annotations to dynamically retrieve secrets from Secrets Manager to the pod's environment variables.

YAML Example

Here is an example yaml for a deployment with containers pulling secrets from AWS Secret Manager.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
  annotations:
    rafay.dev/secretstore: csi-aws
    csi-aws.secretstore.rafay.dev/serviceAccountName: sa-test
    csi-aws.secretstore.rafay.dev/role-arn: arn:aws:iam::123456789012:role/test-csi
    csi-aws.secretstore.rafay.dev/config-1: |
         {
                 "secretproviderclass-name": "test",
                 "mount-path": "/mnt/secrets-store"
                 "project-name": "defaultproject"
         }
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: sa-test
      containers:
      - name: nginx-deployment
        image: nginx
        ports:
        - containerPort: 80