Files
It is assumed that you have already configured trust between your Kubernetes cluster and the Vault server.
Follow the steps documented below to use Rafay's Secret Store annotations to dynamically retrieve secrets from the Vault server. Workloads based on Helm or k8s yaml can use Rafay supported annotations to inject Vault secrets as file mounts.
Important
The vaultSecretRef in the vault.secretstore.rafay.dev/filesecret-config is referred differently between KV v1 and v2.
Template for k8s YAML¶
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "<path_to_vault_secrets1>",
"secretFileName": "<filename1>",
"volumeMountPath": "<mount_path1>",
"containers": ["<container_name1>"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "<path_to_vault_secrets2>",
"secretFileName": "<filename2>",
"volumeMountPath": "<mount_path2>",
"containers": ["<container_name2>"]
}
...
spec:
serviceAccountName: <service_acount>
containers:
...
Template for Helm¶
Template for Helm chart values.yaml file with pod annotations to inject vault secrets as file mounts to containers:
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "<path_to_vault_secrets1>",
"secretFileName": "<filename1>",
"volumeMountPath": "<mount_path1>",
"containers": ["<container_name1>"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "<path_to_vault_secrets2>",
"secretFileName": "<filename2>",
"volumeMountPath": "<mount_path2>",
"containers": ["<container_name2>"]
...
serviceAccount:
name: <service_acount>
Vault CA Certificate¶
Some containers may come without the known Certificate Authority (CA) for the Vault host which may cause the containers to not be able to access Vault.
As a workaround, ensure that you set an environment variable VAULT_CACERT to point to the CA file mounted from Kubernetes secrets.
KV v2¶
Format¶
"vaultSecretRef": "
YAML Example¶
Here is an example yaml for a deployment with containers pulling secrets from KV v2 as file mounts.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-vault-v2-certs
spec:
selector:
matchLabels:
app: nginx-vault-v2-certs
replicas: 2
template:
metadata:
labels:
app: nginx-vault-v2-certs
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlscert",
"secretFileName": "tls.crt",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginxhttpsv2"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlskey",
"secretFileName": "tls.key",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginxhttpsv2"]
}
spec:
serviceAccountName: vault-auth-demo
volumes:
- name: configmap-volume
configMap:
name: httpsnginxconfigmapv2
containers:
- name: nginxhttpsv2
image: ymqytw/nginxhttps:1.5
command: ["/home/auto-reload-nginx.sh"]
ports:
- containerPort: 443
- containerPort: 80
livenessProbe:
httpGet:
path: /index.html
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: configmap-volume
---
apiVersion: v1
data:
default.conf: |
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html;
server_name localhost;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
location / {
try_files $uri $uri/ =404;
}
}
kind: ConfigMap
metadata:
creationTimestamp: null
name: httpsnginxconfigmapv2
Helm Example¶
Here is an example of helm chart values.yaml which includes pod annotations to use Rafay's Vault secret store integration to inject secrets as file mounts.
...
# Additational pod annotations
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "app-secrets-v1/tls-wildcard#tlscert",
"secretFileName": "tls.crt",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginx"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlskey",
"secretFileName": "tls.key",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginx"]
}
...
## Specify the service account to use for pods
serviceAccount:
name: vault-auth-demo