ENV Variables
It is assumed that you have already configured trust between your Kubernetes cluster and the Vault server.
Follow the steps documented below to use Secret Store annotations to dynamically retrieve secrets from the Vault server. Workloads based on Helm or k8s YAML can use the supported annotations for Secret Store to dynamically retrieve secrets from Vault server to the pod's environment variables.
Important
The value in the environment variables is referred differently between KV v1 and KV v2
Template for k8s YAML¶
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
...
spec:
serviceAccountName: <service_acount>
containers:
env:
- name: <environment_name>
value: secretstore:vault:<path_to_secrets>
Template for Helm¶
Template for Helm chart values.yaml file with pod annotations to inject vault secrets as environment variables to containers:
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: <vault_role>
...
serviceAccount:
name: <service_acount>
...
env:
- name: <environment_name>
value: secretstore:vault:<path_to_secrets>
Vault CA Certificate¶
Some containers may come without the known Certificate Authority (CA) for the Vault host which may cause the containers to not be able to access Vault.
As a workaround, ensure that you set an environment variable VAULT_CACERT to point to the CA file mounted from Kubernetes secrets.
KV v2¶
Format¶
value: secretstore:vault:
YAML Example¶
Here is an example yaml for a deployment with containers pulling secrets from KV version 2 to use as environment variables that you can use to deploy as a NativeYaml workload in Web Console.
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress
labels:
app: wordpress
spec:
selector:
matchLabels:
app: wordpress
tier: frontend
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: frontend
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
spec:
serviceAccountName: vault-auth-demo
containers:
- image: wordpress:5.4.1-apache
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: wordpress-mysql
- name: WORDPRESS_DB_USER
value: secretstore:vault:app-secrets-v2/data/wordpress-mysql#data.username
- name: WORDPRESS_DB_PASSWORD
value: secretstore:vault:app-secrets-v2/data/wordpress-mysql#data.password
ports:
- containerPort: 80
name: wordpress
volumeMounts:
- name: wordpress-data
mountPath: /var/www/html
volumes:
- name: wordpress-data
persistentVolumeClaim:
claimName: wordpress-data-claim
Helm Example¶
Here is an example of a Helm chart values.yaml which includes pod annotations to use the Vault secret store integration to inject secrets as environment variables.
...
# Additational pod annotations
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
...
## Specify the service account to use for pods
serviceAccount:
name: vault-auth-demo
...
# Additational pod environment variables
env:
- name: "mysql_username"
value: "secretstore:vault:app-secrets-v1/mysql#username"
- name: "mysql_password"
value: "secretstore:vault:app-secrets-v2/data/mysql#data.password"
KV v1¶
value: secretstore:vault:
Example¶
An example yaml for a deployment with containers pulling secrets from KV v1 to use as environment variables.
This example also includes the set VAULT_CACERT environment variable for the mysql container to reach vault as it does not come with any CA.
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress-mysql
labels:
app: wordpress
spec:
selector:
matchLabels:
app: wordpress
tier: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: wordpress
tier: mysql
annotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "demo"
spec:
serviceAccountName: vault-auth-demo
containers:
- image: mysql:8.0.20
name: mysql
args:
- "--default-authentication-plugin=mysql_native_password"
env:
- name: MYSQL_USER
value: secretstore:vault:app-secrets-v1/mysql#username
- name: MYSQL_PASSWORD
value: secretstore:vault:app-secrets-v1/mysql#password
- name: MYSQL_ROOT_PASSWORD
value: secretstore:vault:app-secrets-v1/mysql#rootpassword
- name: VAULT_CACERT
value: "/etc/vault/ssl/cacert.pem"
livenessProbe:
initialDelaySeconds: 120
timeoutSeconds: 5
periodSeconds: 15
tcpSocket:
port: 3306
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-data
mountPath: /var/lib/mysql
- name: vault-cacert
mountPath: "/etc/vault/ssl/"
readOnly: true
volumes:
- name: mysql-data
persistentVolumeClaim:
claimName: mysql-data-claim
- name: vault-cacert
secret:
secretName: vault-cacert-secret