Files
It is assumed that you have already configured trust between your Kubernetes cluster and the Vault server.
Follow the steps documented below to use the Secret Store annotations to dynamically retrieve secrets from the Vault server. Workloads based on Helm or k8s yaml can use the supported annotations to inject Vault secrets as file mounts.
Important
The vaultSecretRef in the vault.secretstore.rafay.dev/filesecret-config is referred differently between KV v1 and v2.
Template for k8s YAML to pull individual secrets¶
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "<path_to_vault_secrets1>",
"secretFileName": "<filename1>",
"volumeMountPath": "<mount_path1>",
"containers": ["<container_name1>"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "<path_to_vault_secrets2>",
"secretFileName": "<filename2>",
"volumeMountPath": "<mount_path2>",
"containers": ["<container_name2>"]
}
...
spec:
serviceAccountName: <service_acount>
containers:
...
Template for Helm¶
Template for Helm chart values.yaml file with pod annotations to inject vault secrets as file mounts to containers:
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "<path_to_vault_secrets1>",
"secretFileName": "<filename1>",
"volumeMountPath": "<mount_path1>",
"containers": ["<container_name1>"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "<path_to_vault_secrets2>",
"secretFileName": "<filename2>",
"volumeMountPath": "<mount_path2>",
"containers": ["<container_name2>"]
...
serviceAccount:
name: <service_acount>
Template to pull Multiple secrets¶
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "app-secrets-v2/data/wordpress-mysql",
"secretFileName": "secret-1",
"volumeMountPath": "/secure/vault/secrets/1"
"outputFormat" : "json"
}
Important
Possible Output values are json or yaml. By
Vault CA Certificate¶
Some containers may come without the known Certificate Authority (CA) for the Vault host which may cause the containers to not be able to access Vault.
As a workaround, ensure that you set an environment variable VAULT_CACERT to point to the CA file mounted from Kubernetes secrets.
KV v2¶
Format to pull individial secrets¶
"vaultSecretRef": "
YAML Example¶
Here is an example yaml for a deployment with containers pulling individual secrets from KV v2 as file mounts.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-vault-v2-certs
spec:
selector:
matchLabels:
app: nginx-vault-v2-certs
replicas: 2
template:
metadata:
labels:
app: nginx-vault-v2-certs
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlscert",
"secretFileName": "tls.crt",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginxhttpsv2"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlskey",
"secretFileName": "tls.key",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginxhttpsv2"]
}
spec:
serviceAccountName: vault-auth-demo
volumes:
- name: configmap-volume
configMap:
name: httpsnginxconfigmapv2
containers:
- name: nginxhttpsv2
image: ymqytw/nginxhttps:1.5
command: ["/home/auto-reload-nginx.sh"]
ports:
- containerPort: 443
- containerPort: 80
livenessProbe:
httpGet:
path: /index.html
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: configmap-volume
---
apiVersion: v1
data:
default.conf: |
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html;
server_name localhost;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
location / {
try_files $uri $uri/ =404;
}
}
kind: ConfigMap
metadata:
creationTimestamp: null
name: httpsnginxconfigmapv2
¶
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-vault-v2-certs
spec:
selector:
matchLabels:
app: nginx-vault-v2-certs
replicas: 2
template:
metadata:
labels:
app: nginx-vault-v2-certs
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlscert",
"secretFileName": "tls.crt",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginxhttpsv2"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlskey",
"secretFileName": "tls.key",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginxhttpsv2"]
}
spec:
serviceAccountName: vault-auth-demo
volumes:
- name: configmap-volume
configMap:
name: httpsnginxconfigmapv2
containers:
- name: nginxhttpsv2
image: ymqytw/nginxhttps:1.5
command: ["/home/auto-reload-nginx.sh"]
ports:
- containerPort: 443
- containerPort: 80
livenessProbe:
httpGet:
path: /index.html
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: configmap-volume
---
apiVersion: v1
data:
default.conf: |
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html;
server_name localhost;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
location / {
try_files $uri $uri/ =404;
}
}
kind: ConfigMap
metadata:
creationTimestamp: null
name: httpsnginxconfigmapv2
KV v2¶
Format to pull multiple secrets¶
"vaultSecretRef": "
YAML Example¶
Here is an example yaml for a deployment with containers pulling multiple secrets from KV v2 as file mounts.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-vault-v2-certs
spec:
selector:
matchLabels:
app: nginx-vault-v2-certs
replicas: 2
template:
metadata:
labels:
app: nginx-vault-v2-certs
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "app-secrets-v2/data/wordpress-mysql/data",
"secretFileName": "secret-1.yaml",
"volumeMountPath": "/secure/vault/secrets/1"
"outputFormat" : "json"
}
```
### Helm Example
Here is an example of helm chart values.yaml which includes pod annotations to use the Vault secret store integration to inject both individual and multiple secrets as file mounts.
```yaml
...
# Additational pod annotations
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
vault.secretstore.rafay.dev/filesecret-config-1: |
{
"vaultSecretRef": "app-secrets-v1/tls-wildcard#tlscert",
"secretFileName": "tls.crt",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginx"]
}
vault.secretstore.rafay.dev/filesecret-config-2: |
{
"vaultSecretRef": "app-secrets-v2/data/tls-wildcard#data.tlskey",
"secretFileName": "tls.key",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginx"]
}
{
"vaultSecretRef": "app-secrets-v3/data/tls-wildcard",
"secretFileName": "keys.yaml",
"volumeMountPath": "/etc/nginx/ssl",
"containers": ["nginx"]
}
...
## Specify the service account to use for pods
serviceAccount:
name: vault-auth-demo