Skip to content

Files

It is assumed that you have already configured trust between your Kubernetes cluster and the Vault server.

Follow the steps documented below to use the Secret Store annotations to dynamically retrieve secrets from the Vault server. Workloads based on Helm or k8s yaml can use the supported annotations to inject Vault secrets as file mounts.

Important

The vaultSecretRef in the vault.secretstore.rafay.dev/filesecret-config is referred differently between KV v1 and v2.

Template for k8s YAML

  annotations:
    rafay.dev/secretstore: vault
    vault.secretstore.rafay.dev/role: <vault_role>
    vault.secretstore.rafay.dev/filesecret-config-1: |
        {
            "vaultSecretRef": "<path_to_vault_secrets1>",
            "secretFileName": "<filename1>",
            "volumeMountPath": "<mount_path1>",
            "containers": ["<container_name1>"]
        }
    vault.secretstore.rafay.dev/filesecret-config-2: |
        {
            "vaultSecretRef": "<path_to_vault_secrets2>",
            "secretFileName": "<filename2>",
            "volumeMountPath": "<mount_path2>",
            "containers": ["<container_name2>"]
        }
  ...
  spec:
    serviceAccountName: <service_acount>
    containers:
  ...

Template for Helm

Template for Helm chart values.yaml file with pod annotations to inject vault secrets as file mounts to containers:

podAnnotations:
  rafay.dev/secretstore: vault
  vault.secretstore.rafay.dev/role: <vault_role>
  vault.secretstore.rafay.dev/filesecret-config-1: |
      {
          "vaultSecretRef": "<path_to_vault_secrets1>",
          "secretFileName": "<filename1>",
          "volumeMountPath": "<mount_path1>",
          "containers": ["<container_name1>"]
      }
  vault.secretstore.rafay.dev/filesecret-config-2: |
      {
          "vaultSecretRef": "<path_to_vault_secrets2>",
          "secretFileName": "<filename2>",
          "volumeMountPath": "<mount_path2>",
          "containers": ["<container_name2>"]
...
serviceAccount:
  name: <service_acount>

Vault CA Certificate

Some containers may come without the known Certificate Authority (CA) for the Vault host which may cause the containers to not be able to access Vault.

As a workaround, ensure that you set an environment variable VAULT_CACERT to point to the CA file mounted from Kubernetes secrets.

KV v2

Format

"vaultSecretRef": "/data/#data."

YAML Example

Here is an example yaml for a deployment with containers pulling secrets from KV v2 as file mounts. 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-vault-v2-certs
spec:
  selector:
    matchLabels:
      app: nginx-vault-v2-certs
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx-vault-v2-certs
      annotations:
        rafay.dev/secretstore: vault
        vault.secretstore.rafay.dev/role: "demo"
        vault.secretstore.rafay.dev/filesecret-config-1: |
            {
                "vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlscert",
                "secretFileName": "tls.crt",
                "volumeMountPath": "/etc/nginx/ssl",
                "containers": ["nginxhttpsv2"]
            }
        vault.secretstore.rafay.dev/filesecret-config-2: |
            {
                "vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlskey",
                "secretFileName": "tls.key",
                "volumeMountPath": "/etc/nginx/ssl",
                "containers": ["nginxhttpsv2"]
            }
    spec:
      serviceAccountName: vault-auth-demo
      volumes:
      - name: configmap-volume
        configMap:
          name: httpsnginxconfigmapv2
      containers:
      - name: nginxhttpsv2
        image: ymqytw/nginxhttps:1.5
        command: ["/home/auto-reload-nginx.sh"]
        ports:
        - containerPort: 443
        - containerPort: 80
        livenessProbe:
          httpGet:
            path: /index.html
            port: 80
          initialDelaySeconds: 30
          timeoutSeconds: 1
        volumeMounts:
        - mountPath: /etc/nginx/conf.d
          name: configmap-volume
---
apiVersion: v1
data:
  default.conf: |
    server {
            listen 80 default_server;
            listen [::]:80 default_server ipv6only=on;

            listen 443 ssl;

            root /usr/share/nginx/html;
            index index.html;

            server_name localhost;
            ssl_certificate /etc/nginx/ssl/tls.crt;
            ssl_certificate_key /etc/nginx/ssl/tls.key;

            location / {
                    try_files $uri $uri/ =404;
            }
    }
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: httpsnginxconfigmapv2

Helm Example

Here is an example of helm chart values.yaml which includes pod annotations to use the Vault secret store integration to inject secrets as file mounts. 

...
# Additational pod annotations
podAnnotations:
  rafay.dev/secretstore: vault
  vault.secretstore.rafay.dev/role: "demo"
  vault.secretstore.rafay.dev/filesecret-config-1: |
      {
          "vaultSecretRef": "app-secrets-v1/tls-wildcard#tlscert",
          "secretFileName": "tls.crt",
          "volumeMountPath": "/etc/nginx/ssl",
          "containers": ["nginx"]
      }
  vault.secretstore.rafay.dev/filesecret-config-2: |
      {
          "vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlskey",
          "secretFileName": "tls.key",
          "volumeMountPath": "/etc/nginx/ssl",
          "containers": ["nginx"]
      }

...
## Specify the service account to use for pods
serviceAccount:
  name: vault-auth-demo