Injecting Dynamic Database Credentials into K8s Pods via Vault
Vault is engineered to provide database credentials to your Kubernetes app with optimum security. Kubernetes annotations are used to attach arbitrary non-identifying metadata to objects. Vault integration for Kubernetes allows the use of such annotations to inject secrets from Kubernetes pods.
For example, the configuration added to your app’s Kubernetes config file will have the following general structure:
spec: template: metadata: annotations: vault.hashicorp.com/agent-injector: "true" vault.hashicorp.com/agent-injector-secret-<unique-name>: "path/to/creds" ...
Vault supports both static and dynamic secrets injection into pods. With dynamic secrets, you delegate the responsibility to vault for creating and managing the lifecycle of a secret. In the case of database credentials, you give Vault the credentials to your database. From there, Vault can not only rotate your root credentials but also create temporary roles with the permissions you specify. These temporary roles will be what will be used by your Kubernetes app. This is done by writing SQL/JSON templates to Vault using its write command.
usage: vault write [options] PATH [DATA K=V ...]
Vault’s database secrets engine supports several relational and NoSQL databases.
- Announcing HashiCorp Vault 1.3. https://www.hashicorp.com/blog/vault-1-3/