Skip to main content
Loading
Version: Operator 3.3.0

Integrating Secret Management Services

Since server 6.4, Aerospike Database Enterprise Edition can fetch sensitive configuration from secrets management services, using an intermediate process called Secret Agent. The agent runs as a sidecar and acts as a proxy between Aerospike server and the Secret Management service, for example the AWS Secrets Manager.

Add Aerospike Secret Agent sidecar

spec:
.
.
.
podSpec:
sidecars:
- name: secret-agent
image: aerospike/aerospike-secret-agent:1.1.0
args:
- -config-file=/etc/aerospike/secret-agent/config.yaml # this path can be changed as per secret-agent secret mount path
.
.
.

Create Aerospike Secret Agent configuration secret

Aerospike Secret Agent requires a configuration file config.yaml to configure the listening port, TLS, socket and to connect to secrets management services.

The following is an example configuration file:

service:
tcp:
endpoint: 0.0.0.0:3005

secret-manager:
aws:
region: us-west-1
resources:
TestingSecret: arn:aws:secretsmanager:us-west-1:999999999999:secret:TestingSecret-tN6s2j # Secret ARN
access-key-id: <access-key-id>
secret-access-key: <secret-access-key>
log:
level: info

For all configuration parameters, see Aerospike Secret Agent

Create a Kubernetes secret using above configuration file config.yaml in the namespace where Aerospike Cluster will be created

kubectl -n <namespace> create secret generic aerospike-agent-secret --from-file=config.yaml

Add Aerospike Secret Agent mount configuration in CR

Add volume mount configuration in the CR to mount the secret created above.

  storage:
filesystemVolumePolicy:
cascadeDelete: true
initMethod: deleteFiles
blockVolumePolicy:
cascadeDelete: true
volumes:
.
.
.
- name: aerospike-agent-secret
source:
secret:
secretName: aerospike-agent-secret
sidecars:
- containerName: secret-agent
path: /etc/aerospike/secret-agent

Add Secret Agent Configuration in Aerospike server

Add Secret Agent configuration in Aerospike server to set up communication between server and agent.

    aerospikeConfig:
service:
feature-key-file: secrets:TestingSecret:FeatureKey
secrets-address-port: 127.0.0.1 3005

security: {}

network:
service:
port: 3000
heartbeat:
port: 3002
fabric:
port: 3001

namespaces:
- name: test
replication-factor: 2
storage-engine:
type: device
devices:
- /test/dev/xvdf

Configuration parameter secrets-address-port under service context specifies the Secret agent info. secrets-address-port value is given in the format<Agent-IP> <Agent-List en-Port> <TLS-name>. TLS-name is optional and only required if TLS is configured for Secret Agent.

To fetch secret values for the supported configuration parameters from the external secret manager, a user must specify that configuration value in secrets:[resource:]key format.

  1. secrets:- A required prefix. It indicates that the configuration parameter value will be fetched from the external secret manager.

  2. resource- Resource name in Secret Agent's configuration file. This is an optional field if a single resource name is mentioned in the secret agent's configuration file. Otherwise it is required. The secret will be fetched from the path corresponding to the resource name.

    Refer to the Secret Agent configuration documentation for more information.

  3. key - Required field. It identifies the secret to be fetched.

    AWS allows multiple key-values in one secret. key field determines which key-value will be fetched.

    GCP allows single value in one secret. key field is used only to cross-check that it is a substring of the resource path to avoid user mistakes.

In the above example, TestingSecret is an alias for a resource in Secret Agent's configuration file. FeatureKey is an identifier for the actual base64-encoded feature key file stored in an external secret manager.

For more information, see Aerospike Secret Management Services