Skip to content

ENV Variables

It is assumed that you have already configured trust between your Kubernetes cluster and the Vault server.

Follow the steps documented below to use Rafay's Secret Store annotations to dynamically retrieve secrets from the Vault server. Workloads based on Helm or k8s YAML can use Rafay supported annotations for Secret Store to dynamically retrieve secrets from Vault server to the pod's environment variables.

Important

The value in the environment variables is referred differently between KV v1 and KV v2


Template for k8s YAML

  annotations:
    rafay.dev/secretstore: vault
    vault.secretstore.rafay.dev/role: <vault_role>
  ...
  spec:
    serviceAccountName: <service_acount>
    containers:
      env:
      - name: <environment_name>
        value: secretstore:vault:<path_to_secrets>


Template for Helm

Template for Helm chart values.yaml file with pod annotations to inject vault secrets as environment variables to containers: ​

podAnnotations:
  rafay.dev/secretstore: vault
  vault.secretstore.rafay.dev/role: <vault_role>
...
serviceAccount:
  name: <service_acount>
...
env:
- name: <environment_name>
  value: secretstore:vault:<path_to_secrets>


Vault CA Certificate

Some containers may come without the known Certificate Authority (CA) for the Vault host which may cause the containers to not be able to access Vault.

As a workaround, ensure that you set an environment variable VAULT_CACERT to point to the CA file mounted from Kubernetes secrets.


KV v2

Format

value: secretstore:vault:/data/#data.

YAML Example

Here is an example yaml for a deployment with containers pulling secrets from KV version 2 to use as environment variables that you can use to deploy as a NativeYaml workload in Rafay Console.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: wordpress
  labels:
    app: wordpress
spec:
  selector:
    matchLabels:
      app: wordpress
      tier: frontend
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: wordpress
        tier: frontend
      annotations:
        rafay.dev/secretstore: vault
        vault.secretstore.rafay.dev/role: "demo"
    spec:
      serviceAccountName: vault-auth-demo
      containers:
      - image: wordpress:5.4.1-apache
        name: wordpress
        env:
        - name: WORDPRESS_DB_HOST
          value: wordpress-mysql
        - name: WORDPRESS_DB_USER
          value: secretstore:vault:app-secrets-v2/data/wordpress-mysql#data.username
        - name: WORDPRESS_DB_PASSWORD
          value: secretstore:vault:app-secrets-v2/data/wordpress-mysql#data.password
        ports:
        - containerPort: 80
          name: wordpress
        volumeMounts:
        - name: wordpress-data
          mountPath: /var/www/html
      volumes:
      - name: wordpress-data
        persistentVolumeClaim:
          claimName: wordpress-data-claim

Helm Example

Here is an example of a Helm chart values.yaml which includes pod annotations to use Rafay's Vault secret store integration to inject secrets as environment variables.

...
# Additational pod annotations
podAnnotations:
  rafay.dev/secretstore: vault
  vault.secretstore.rafay.dev/role: "demo"

...
## Specify the service account to use for pods
serviceAccount:
  name: vault-auth-demo

...

# Additational pod environment variables
env:
 - name: "mysql_username"
   value: "secretstore:vault:app-secrets-v1/mysql#username"
 - name: "mysql_password"
   value: "secretstore:vault:app-secrets-v2/data/mysql#data.password"

KV v1

value: secretstore:vault:/#

Example

An example yaml for a deployment with containers pulling secrets from KV v1 to use as environment variables.

This example also includes the set VAULT_CACERT environment variable for the mysql container to reach vault as it does not come with any CA.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: wordpress-mysql
  labels:
    app: wordpress
spec:
  selector:
    matchLabels:
      app: wordpress
      tier: mysql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: wordpress
        tier: mysql
      annotations:
        rafay.dev/secretstore: vault
        vault.secretstore.rafay.dev/role: "demo"
    spec:
      serviceAccountName: vault-auth-demo
      containers:
      - image: mysql:8.0.20
        name: mysql
        args:
            - "--default-authentication-plugin=mysql_native_password"
        env:
        - name: MYSQL_USER
          value: secretstore:vault:app-secrets-v1/mysql#username
        - name: MYSQL_PASSWORD
          value: secretstore:vault:app-secrets-v1/mysql#password
        - name: MYSQL_ROOT_PASSWORD
          value: secretstore:vault:app-secrets-v1/mysql#rootpassword
        - name: VAULT_CACERT
          value: "/etc/vault/ssl/cacert.pem"
        livenessProbe:
          initialDelaySeconds: 120
          timeoutSeconds: 5
          periodSeconds: 15
          tcpSocket:
            port: 3306
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:
        - name: mysql-data
          mountPath: /var/lib/mysql
        - name: vault-cacert
          mountPath: "/etc/vault/ssl/"
          readOnly: true
      volumes:
      - name: mysql-data
        persistentVolumeClaim:
          claimName: mysql-data-claim
      - name: vault-cacert
        secret:
          secretName: vault-cacert-secret