Skip to content

Rafay Docs

Home
Home
- Overview
- Key Concepts
- Architecture
- Common Use Cases
- CLI
  CLI
  - Overview
  - AddOns
  - Agents
  - Backup and Restore
  - Blueprints
  - Catalog
  - Clusters
  - Config
  - Credentials
  - Namespaces
  - Org Settings
    Org Settings
    
    IdP/SSO
  - Overrides
  - Pipelines
  - Policy
  - Projects
  - Repository
  - RBAC
  - Secret Groups
  - Secret Stores
  - Trigger
  - Workloads
- APIs
- Self Hosted Controller
  Self Hosted Controller
  - Overview
  - Configurations
  - Environments
    Environments
    
    Bare Metal/VM
    Bare Metal/VM
    
    Requirements
    
    Installation
    
    AWS EC2
    AWS EC2
    
    Requirements
    
    Installation
    
    Azure AKS
    Azure AKS
    
    Requirements
    
    Installation
    
    Backup and Restore
    
    Google GKE
    Google GKE
    
    Requirements
    
    Installation
  - Upgrades
    Upgrades
    
    1.4.x to 1.5.x
    
    1.5.x to 1.6.x
- Release Notes
  Release Notes
  - 2022
  - 2021
  - 2020
  - 2019
- Bug Fixes
- Partners
  Partners
- Videos
- Contact
Get Started
Get Started
- Overview
- Kubernetes
  Kubernetes
  - Overview
  - Install MicroK8s
  - Kubernetes 101
    Kubernetes 101
    
    Part 1: Using Namespaces
    
    Part 2: Using Pods
    
    Part 3: Using Deployments
    
    Part 4: Using Services
    
    Part 5: Using Ingress
  - Kubernetes 201
    Kubernetes 201
    
    Part 1: Using ConfigMaps
    
    Part 2: Using Secrets
    
    Part 3: Using PV
    
    Part 4: Using PVC
  - Kubernetes 301
    Kubernetes 301
    
    Deployments, StatefulSets, DaemonSets
    
    Part 1: Using StatefulSets
    
    Part 2: Using DaemonSets
- Basics
  Basics
- Amazon EKS
  Amazon EKS
  - EKS Backup/Restore
    EKS Backup/Restore
    
    Overview
    
    Part 1: Setup Environment
    
    Part 2: Create Resources
    
    Part 3: Backup/Restore
  - Cluster Lifecycle
    Cluster Lifecycle
    
    Overview
    
    Part 1: Provision
    
    Part 2: Scale
    
    Part 3: Upgrade
    
    Part 4: Deprovision
  - CloudWatch
    CloudWatch
    
    Overview
    
    Part 1: Setup
    
    Part 2: Provision
    
    Part 3: Blueprint
    
    Part 4: Deprovision
  - Cluster Autoscaler
    Cluster Autoscaler
    
    Overview
    
    Part 1: Setup
    
    Part 2: Blueprint
    
    Part 3: Provision
    
    Part 4: Workload
    
    Part 5: Deprovision
  - EKS System Sync
    EKS System Sync
    
    Overview
    
    Part 1: Setup
    
    Part 2: Sync from Git
    
    Part 3: Sync from System
  - GPU
    GPU
    
    Overview
    
    Part 1: Setup
    
    Part 2: Blueprint
    
    Part 3: Provision
    
    Part 4: Workload
    
    Part 5: Scaling
    
    Part 6: Deprovision
  - Karpenter
    Karpenter
    
    Overview
    
    Part 1: Setup
    
    Part 2: Provision
    
    Part 3: Blueprint
    
    Part 4: Workload
    
    Part 5: Deprovision
  - Standard Operating Model
    Standard Operating Model
    
    Overview
    
    Part 1: Setup
    
    Part 2: Provision
    
    Part 3: Deprovision
- Amazon EKS Anywhere
  Amazon EKS Anywhere
  - Overview
  - Quick Start
- Azure AKS
  Azure AKS
  - Overview
  - Standard Operating Model
    Standard Operating Model
    
    Overview
    
    Part 1: Setup
    
    Part 2: Provision
    
    Part 3: Deprovision
- Upstream Kubernetes
  Upstream Kubernetes
  - Standard Operating Model
    Standard Operating Model
    
    Overview
    
    Part 1: Setup
    
    Part 2: Provision
    
    Part 3: Deprovision
- GitOps
  GitOps
  - Deployment Strategies
    Deployment Strategies
    
    Overview
    
    Setup
    
    Recreate
    
    Rolling Update
    
    Blue-Green
    
    Canary
  - System Sync
    System Sync
    
    Overview
    
    Part 1: Setup
    
    Part 2: Sync Blueprint
    
    Part 3: Sync Workload
  - EKS System Sync
    EKS System Sync
    
    Overview
    
    Part 1: Setup
    
    Part 2: Sync from Git
    
    Part 3: Sync from System
- Policy Management
  Policy Management
  - OPA Gatekeeper
    OPA Gatekeeper
    
    Overview
    
    Part 1: Setup
    
    Part 2: Policy
    
    Part 3: Blueprint
    
    Part 4: Workload
  - Turnkey OPA Policies
    Turnkey OPA Policies
    
    Overview
    
    Part 1: Setup
    
    Part 2: Apply
    
    Part 3: Test
- Zero Trust Kubectl
  Zero Trust Kubectl
- CNCF Recipes
Clusters
Clusters
- Overview
- Metadata
  Metadata
- Amazon EKS
  Amazon EKS
  - Overview
  - Templates
    Templates
    
    Create Cluster Template
    
    Create Cluster from Template
    
    CLI for Cluster Template
  - Credentials
  - IAM Policy
    IAM Policy
    
    Overview
    
    Full
    
    Customer-Managed VPC
    
    Customer-Managed VPC & IAM
    
    Customer-Managed VPC & IAM with Restrictions
  - Cluster Config
  - CLI
    CLI
    
    Overview
    
    GitOps
    GitOps
    
    Overview
    
    Examples
  - Config Schema
  - Provision
  - IAM Service Accounts
    IAM Service Accounts
    
    Overview
    
    CLI for IRSA
  - CNI Providers
  - Control Plane
  - VPC Networking
    VPC Networking
    
    Overview
    
    Secondary CIDR with VPC
  - Nodegroups
    Nodegroups
    
    Overview
    
    Custom AMI
  - Wavelength Zone
  - AWS Tags
  - Spot Instances
  - Node Labels
  - Visibility and Monitoring
  - RBAC based KubeCTL
  - Deprovision
  - k8s Upgrades
  - AMI Upgrades
  - Audit
  - API
  - Best Practices
  - FAQ
  - Troubleshooting
- Amazon EKS Anywhere
  Amazon EKS Anywhere
  - Overview
  - Quick Start
- Amazon EKS Distro
  Amazon EKS Distro
  - Overview
  - Quick Start
- Azure AKS
  Azure AKS
  - Overview
  - Azure Setup
  - Credentials
  - Provision
  - Node Labels
  - Spot Price
  - Visibility and Monitoring
  - Deprovision
  - K8s Upgrades
  - Audit
  - CLI
    CLI
    
    Overview
    
    GitOps
    GitOps
    
    Overview
    
    Examples
  - Config Schema
- Google GKE
  Google GKE
  - Overview
  - Lifecycle
- Imported
  Imported
- Red Hat Openshift
  Red Hat Openshift
  - Overview
  - Import
  - Blueprints
  - Dashboards
- Upstream Kubernetes
  Upstream Kubernetes
  - Approaches
  - Bare Metal and VMs
    Bare Metal and VMs
    
    Overview
    
    Supported Environments
    
    Configuration
    
    Preflight Checks
    
    Provisioning
  - CLI
  - Edge Simulator
  - QCOW Virtual Appliance
    QCOW Virtual Appliance
    
    Overview
    
    Provision
    
    Deprovision
    
    Lifecycle
    
    FAQ
  - OVA Virtual Appliance
    OVA Virtual Appliance
    
    Overview
    
    Provision
    
    Deprovision
    
    Lifecycle
    
    FAQ
  - AWS
    AWS
    
    Credentials
    
    IAM Policy
    
    Steps
  - Equinix Metal
    Equinix Metal
    
    Overview
    
    Provision Servers
    
    Provision Kubernetes
  - GCP
    GCP
    
    Credentials
    
    Steps
  - Developers
    Developers
    
    Overview
    
    Windows
    Windows
    
    Provision
    
    Deprovision
    
    FAQ
    
    macOS
    macOS
    
    Provision
    
    Deprovision
    
    FAQ
  - Master Nodes
  - Worker Nodes
  - Upgrades
  - Storage
  - Troubleshooting
  - Retry and Backoff
  - Reset Node
- VMWare
  VMWare
  - Overview
  - Gateway
  - Credentials
  - Provisioning
  - CLI
Dashboards
Dashboards
- Overview
- Organization
- Projects
  Projects
- Cluster
- My Clusters
- Nodes
- Kubernetes Resources
  Kubernetes Resources
  - View/Edit/Delete
  - Create
- Kubernetes Events
- Pod Dashboard
- Container Dashboard
- Configuration
- GPU Dashboard
Catalog
Catalog
Blueprints
Blueprints
- Overview
- Namespaces
  Namespaces
  - Overview
- Add-Ons
- Managed Add-Ons
- Base Blueprints
  Base Blueprints
- Pod Security Policy (Deprecated)
- Custom Blueprint
- Cluster Fleet Management
- Exceptions
- Disable Default
- Sharing
- Cluster Overrides
- Update Blueprint
- CLI
- API
ZTKA
ZTKA
- Background
- Overview
- KubeCTL
  KubeCTL
  - Browser
  - KubeCTL CLI
- Configuration
- RBAC
- Audit Trail
- Private Kube API Proxy
- FAQ
Policy Mgmt
Policy Mgmt
Workloads
Workloads
- Namespaces
  Namespaces
  - Overview
- Workload Types
  Workload Types
  - Overview
  - Helm Charts
  - k8s YAML
  - Wizard
    Wizard
    
    Overview
    
    Ingress
    
    Containers
    
    Container Registry
    
    Upgrade Strategy
    
    Storage
    
    Policy
    
    Publish
  - VM Wizard
- Zero Trust Debug
  Zero Trust Debug
  - Overview
  - Developer Tools
- Cluster Overrides
- CLI
GitOps
GitOps
- Overview
- Benefits
- Pipelines
- Stages
  Stages
- Triggers
  Triggers
  - Overview
  - Troubleshooting
- Secret Groups
  Secret Groups
  - Pipeline Secret Groups
  - CLI
- Agents
Backup
Backup
- Overview
- Backup Location
  Backup Location
- Credentials
  Credentials
  - Overview
  - AWS
  - Azure
  - S3 Compatible
- Data Agent
- Backup Policy
- Backup Job
- Restore Policy
- Restore Job
- Considerations
Security
Security
- Overview
- Organizations
- Projects
- Users
- MFA
- Groups
- CLI
- Roles
- Cluster Sharing
- Audit Logs
- Compliance
- Vulnerabilities
- CIS Benchmark
- Contact
Integrations
Integrations
- Overview
- Backup And Restore
  Backup And Restore
- Networking
  Networking
  - Overview
- Storage
  Storage
  - Overview
- CI
  CI
  - Overview
  - Common Patterns
  - Jenkins
    Jenkins
    
    Overview
    
    Workload Basics
    
    Workload Wizard
    
    Helm Workloads
    
    YAML Workloads
    
    Provision Upstream k8s
    
    Provision Amazon EKS
  - CircleCI
  - GitLab
  - Azure DevOps
- GSLB
  GSLB
  - DNS based GSLB
- Terraform
  Terraform
  - Overview
- Ingress
  Ingress
  - Background
  - Managed Ingress
- Log Aggregation
  Log Aggregation
- Monitoring
  Monitoring
- Registry
  Registry
  - Overview
- Repositories
  Repositories
- Secrets
  Secrets
  - Vault
    Vault
    
    Overview
    
    Configure Vault
    
    Use Vault-Helm/YAML
    Use Vault-Helm/YAML
    
    ENV Variables
    
    Files
    
    Use Vault-Wizard
  - Secrets Manager (Beta)
    Secrets Manager (Beta)
    
    Secrets Store Add-on
    
    Secret Provider Classes
    
    Configure IRSA
    
    Secret Store
    
    Annotations Annotations
    Table of contents
    
    YAML Example
    
    CLI
  - Sealers
    Sealers
    
    Secret Sealer
    
    Use Secret Sealer
- SIEM / Audit Logs
  SIEM / Audit Logs
  - Overview
  - DataDog
  - Splunk
- Single Sign On
  Single Sign On
  - Overview
  - AWS SSO
  - Azure AD
  - Duo SSO
  - Google Workspace
  - KeyCloak
  - Okta
  - Ping One
  - CLI
Recipes
Recipes
- Overview
- AlertManager
  AlertManager
  - Slack
  - PagerDuty
  - Opsgenie
- Backup
  Backup
  - CloudCasa
  - Velero
    Velero
    
    Overview
    
    Credentials - IAM Role
    
    Credentials - IAM User
    
    Credentials - MinIO
    
    Use Velero
- Cost Management
  Cost Management
  - Overview
  - Kubecost
- Cert-Manager
  Cert-Manager
- Databases
  Databases
  - Redis
  - InfluxDB
- Functions
  Functions
  - Kubeless
- Governance
  Governance
- GPU
  GPU
- Ingress
  Ingress
  - ALB
    ALB
    
    Overview
    
    Create
    
    Configure
    
    Access
  - Ambassador
  - Citrix
  - Kong
    Kong
    
    Install Kong
    
    Enable Monitoring
    
    Enable Logging
    
    Sample Application
- Load Balancer
  Load Balancer
  - MetalLB
    MetalLB
    
    Overview
    
    Setup
    
    Install
    
    Test
- Logging
  Logging
  - CloudWatch
  - Elastic Cloud
    Elastic Cloud
    
    Overview
    
    ECK Operator
    
    Elasticsearch
    
    Kibana
    
    Recap
  - OpenSearch
    OpenSearch
    
    Overview
    
    Create
    
    Configure
    
    Access
  - Splunk
  - Sumologic
  - New Relic
- Monitoring
  Monitoring
  - Amazon Prometheus
    Amazon Prometheus
    
    Overview
    
    Create
    
    Configure
    
    Access
  - CloudWatch
  - Datadog Agent
  - Grafana
  - New Relic
  - Prometheus Operator
  - Splunk Connect
- Network Policy
  Network Policy
  - Overview
  - Calico
    Calico
    
    Install
    
    Test
  - Cilium
    Cilium
    
    Install
- Secrets
  Secrets
  - AWS Secrets Manager
    AWS Secrets Manager
    
    Overview
    
    Create
    
    Configure
    
    Access
  - Hashicorp Vault
  - Sealed Secrets
- Security
  Security
  - Araali
  - Kube-bench
- Service Mesh
  Service Mesh
  - Istio
    Istio
    
    Overview
    
    Use Istio
  - Linkerd
    Linkerd
    
    Overview
    
    Use Linkerd
- Storage
  Storage
  - MinIO
  - Ondat

Annotations

Important

This is available as a beta feature.

Follow the steps documented below to use Secret Store annotations to dynamically retrieve secrets from the AWS Secret Manager. Workloads based on k8s YAML can use the supported annotations for Secret Store to dynamically retrieve secrets from Secret Manager to the pod's environment variables.

YAML Example¶

Here is an example yaml for a deployment with containers pulling secrets from AWS Secret Manager.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
  annotations:
    rafay.dev/secretstore: csi-aws
    csi-aws.secretstore.rafay.dev/config-1: |
        {
            "secret-name": "demo-secret",
            "mount-path": "/mnt/secrets-store1"
        }
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: test-sa
      containers:
      - name: nginx-deployment
        image: nginx
        ports:
        - containerPort: 80