Vault Configuration ¶
The current helm chart support is provided for Hashicorp Vault annotations and use of the Hashicorp injector. More information on Hashicorp Vault annotations can be found here.
Vault Secret Values ¶
An example vault values section looks like:
vault:
enabled: true
hashicorp:
annotations:
role: {hashicorp-vault-role}
secretPrefix: {path to secret}
secrets:
{secret-name}:
{secret-key | to-json}:
path: /opt/in/some/location/secrets
file: devops-secret.env
The vault.hashicorp.secrets is a map that specifies each secret to pull from the
vault. And for each secret, a map specifies the key to pull with instructions of where
to place the secret based on path and file
| License Parameters | Description | Default Value |
|---|---|---|
| secrets.{secret} | map of secret | devops-secret |
| secrets.{secret}.{key} | map of key | pingaccess.lic |
| secrets.{secret}.{key}.path | optional: location of secret. Defaults to vault.annotation.secret-volume-path | /opt/in/some/path |
| secrets.{secret}.{key}.file | required: file name secrets placed into | pingaccess.lic |
Special key name (to-json) ¶
There is a special key name that can be provided that will drop the raw secret into the container as it's json representation with all the secret key names/values.
If dropped into the SECRETS_DIR (defaults to /run/secrets) directory, these files will
be processed as:
- PROPERTY_FILE if the file ends in
.envor - Multiple files will be created for each key=value pair.
See the example below in this document for the
transformation that occurs with the devops-secret.env.
Vault Annotations ¶
Default yaml defined in the global vault section. The options of annotation names/values can be found at vault definitions
For each of the annotations, the helm chart will automatically pre-pend the annotation with the
hashicorp annotation prefix of vault.hashicorp.com. See example below.
global:
vault:
enabled: false
hashicorp:
annotations:
agent-inject: true
agent-init-first: true
agent-pre-populate-only: true
log-level: info
preserve-secret-case: true
role: k8s-default
secret-volume-path: /run/secrets
serviceAccountName: vault-auth
Example ¶
The following includes an example Hashicorp Vault secrets as well as a value values .yaml that make use of the secrets and an example of where secrets will be placed into container.
Example: Hashicorp Vault secrets
SECRET:secrets/jsmith@example.com/jsmith-namespace/licenses
{
"pingaccess-6.2": "Product=PingAccess\nVersion=6.2...",
"pingdirectory-8.2": "Product=PingDirectory\nVersion=8.2...",
"pingfederate-10.2": "Product=PingFederate\nVersion=10.2..."
}
SECRET: secrets/jsmith@example.com/jsmith-namespace/devops-secrets.env
{
"PING_IDENTITY_ACCEPT_EULA": "YES",
"PING_IDENTITY_DEVOPS_KEY": "d254....-....-...-...-............",
"PING_IDENTITY_DEVOPS_USER": "jsmith@example.com"
}
SECRET: secrets/jsmith@example.com/jsmith-namespace/certs
{
"tls.crt": "LS0tLS1CRUdJ...a9dk",
"tls.key": "LS0tLS1CRUdJ...38sj"
}
Example: Vault secrets .yaml
pingfederate-admin:
vault:
hashicorp:
secrets:
devops-secret.env:
to-json:
file: devops-secret.env
licenses:
pingaccess-6.2:
file: pingaccess.lic
path: /opt/in/some/location/licenses
test-certs:
to-json:
file: test-certs
Places the following files into the container:
Example: Container files
FILE: /run/secrets/devops-secret.env
PING_IDENTITY_ACCEPT_EULA="YES"
PING_IDENTITY_DEVOPS_KEY="d254....-....-...-...-............"
PING_IDENTITY_DEVOPS_USER="jsmith@example.com"
FILE: /opt/in/some/location/licenses/pingaccess.lic
Product=PingAccess
Version=6.2
...
FILE: /run/secrets/tls.crt
LS0tLS1CRUdJ...a9dk
FILE: /run/secrets/tls.key
LS0tLS1CRUdJ...38sj