ENV Variables
It is assumed that you have already configured trust between your Kubernetes cluster and the Vault server.
Follow the steps documented below to use Secret Store annotations to dynamically retrieve secrets from the Vault server. Workloads based on Helm or k8s YAML can use the supported annotations for Secret Store to dynamically retrieve secrets from Vault server to the pod's environment variables.
Important
The value in the environment variables is referred differently between KV v1 and KV v2
Template for k8s YAML to pull individual secrets¶
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
...
spec:
serviceAccountName: <service_acount>
containers:
env:
- name: <environment_name>
value: secretstore:vault:<path_to_secrets>
Template for Helm¶
Template for Helm chart values.yaml file with pod annotations to inject vault secrets as environment variables to containers:
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
...
serviceAccount:
name: <service_acount>
...
env:
- name: <environment_name>
value: secretstore:vault:<path_to_secrets>
Template for pull multiple secrets¶
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/env-secret-path-1: "app-secrets-v2/data/wordpress-mysql/data/data"
KV v2¶
Format for pulling individual secrets¶
value: secretstore:vault:
YAML Example¶
Here is an example yaml for a deployment with containers pulling secrets from KV version 2 to use as environment variables that you can use to deploy as a NativeYaml workload in Web Console.
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress
labels:
app: wordpress
spec:
selector:
matchLabels:
app: wordpress
tier: frontend
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: frontend
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
spec:
serviceAccountName: vault-auth-demo
containers:
- image: wordpress:5.4.1-apache
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: wordpress-mysql
- name: WORDPRESS_DB_USER
value: secretstore:vault:app-secrets-v2/data/wordpress-mysql#data.username
- name: WORDPRESS_DB_PASSWORD
value: secretstore:vault:app-secrets-v2/data/wordpress-mysql#data.password
ports:
- containerPort: 80
name: wordpress
volumeMounts:
- name: wordpress-data
mountPath: /var/www/html
volumes:
- name: wordpress-data
persistentVolumeClaim:
claimName: wordpress-data-claim
Format for pulling Multiple secrets¶
vault.secretstore.rafay.dev/env-secret-path-1: "app-secrets-v2/data/wordpress-mysql/data"
YAML Example¶
Here is an example yaml for a deployment with containers pulling multiple secrets from KV version 2 to use environment variables that you can use to deploy as a NativeYaml workload in Web Console.
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth-demo
labels:
app: wordpress
tier: frontend
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-secrets1
spec:
replicas: 1
selector:
matchLabels:
app: vault-secrets
template:
metadata:
labels:
app: vault-secrets
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/env-secret-path-1: "app-secrets-v2/data/wordpress-mysql/data/data"
spec:
serviceAccountName: vault-auth-demo
containers:
- name: alpine
image: alpine:latest
command: [ "/bin/ash", "-c", "--" ]
args: [ "while true; do env; sleep 30; done;" ]
securityContext:
allowPrivilegeEscalation: false
Helm Example¶
Here is an example of a Helm chart values.yaml which includes pod annotations to use the Vault secret store integration to inject secrets as environment variables.
...
# Additational pod annotations
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
...
## Specify the service account to use for pods
serviceAccount:
name: vault-auth-demo
...
# Additational pod environment variables
env:
- name: "mysql_username"
value: "secretstore:vault:app-secrets-v1/mysql#username"
- name: "mysql_password"
value: "secretstore:vault:app-secrets-v2/data/mysql#data.password"
KV v1¶
value: secretstore:vault:
Example¶
An example yaml for a deployment with containers pulling individual secrets from KV v1 to use as environment variables
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
selector:
matchLabels:
app: wordpress
tier: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: mysql
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
spec:
serviceAccountName: vault-auth-demo
containers:
- image: mysql:8.0.20
name: mysql
args:
- "--default-authentication-plugin=mysql_native_password"
env:
- name: MYSQL_USER
value: secretstore:vault:app-secrets-v1/mysql#username
- name: MYSQL_PASSWORD
value: secretstore:vault:app-secrets-v1/mysql#password
- name: MYSQL_ROOT_PASSWORD
value: secretstore:vault:app-secrets-v1/mysql#rootpassword
livenessProbe:
initialDelaySeconds: 120
timeoutSeconds: 5
periodSeconds: 15
tcpSocket:
port: 3306
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-data
mountPath: /var/lib/mysql
volumes:
- name: mysql-data
persistentVolumeClaim:
claimName: mysql-data-claim
KV v1¶
value: secretstore:vault:
Example¶
An example yaml for a deployment with containers pulling multiple secrets from KV v1 to use as environment variables.
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth-demo
labels:
app: wordpress
tier: frontend
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-secrets1
spec:
replicas: 1
selector:
matchLabels:
app: vault-secrets
template:
metadata:
labels:
app: vault-secrets
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/env-secret-path-2: "kv1/values"
spec:
serviceAccountName: vault-auth-demo
containers:
- name: alpine
image: alpine:latest
command: [ "/bin/ash", "-c", "--" ]
args: [ "while true; do env; sleep 30; done;" ]
securityContext:
allowPrivilegeEscalation: false