# Integrate Secret management services with Aerospike on Kubernetes ## Overview Aerospike Database can fetch sensitive configurations from secret management services using an intermediate process called [Secret Agent](https://aerospike.com/docs/database/tools/secret-agent). The agent runs as a sidecar and acts as a proxy between Aerospike and the Secret Management service such as the AWS Secrets Manager. ### Add Aerospike Secret Agent sidecar ```yaml spec: podSpec: sidecars: - name: secret-agent image: aerospike/aerospike-secret-agent:1.2.3 args: - -config-file=/etc/aerospike/secret-agent/config.yaml # This path can be changed to match the secret-agent secret mount path ``` ### Create Aerospike Secret Agent configuration secret Aerospike Secret Agent requires a configuration file `config.yaml` to configure the listening port, TLS, socket and to connect to secrets management services. The following is an example configuration file: config.yaml ```yaml service: tcp: endpoint: 0.0.0.0:3005 secret-manager: aws: region: us-west-1 resources: TestingSecret: arn:aws:secretsmanager:us-west-1:999999999999:secret:TestingSecret-tN6s2j # Secret ARN access-key-id: secret-access-key: log: level: info ``` For all configuration parameters, see [Aerospike Secret Agent](https://github.com/aerospike/aerospike-secret-agent/blob/main/config/template.yaml) Create a Kubernetes secret using the previously shown configuration file `config.yaml` in the namespace where Aerospike Cluster will be created. Terminal window ```bash kubectl -n NAMESPACE create secret generic aerospike-agent-secret --from-file=config.yaml ``` ### Add Aerospike Secret Agent mount configuration in AKO CR Add volume mount configuration in the AKO CR to mount the secret created previously. ```yaml storage: filesystemVolumePolicy: cascadeDelete: true initMethod: deleteFiles blockVolumePolicy: cascadeDelete: true volumes: - name: aerospike-agent-secret source: secret: secretName: aerospike-agent-secret sidecars: - containerName: secret-agent path: /etc/aerospike/secret-agent ``` ### Add Secret Agent configuration in Aerospike Database The following example shows a Secret Agent configuration in Aerospike Database to set up the communication between the server and agent. ```yaml aerospikeConfig: service: feature-key-file: secrets:TestingSecret:FeatureKey secrets-address-port: 127.0.0.1 3005 security: {} network: service: port: 3000 heartbeat: port: 3002 fabric: port: 3001 namespaces: - name: test replication-factor: 2 storage-engine: type: device devices: - /test/dev/xvdf ``` The parameter `service.secrets-address-port` specifies the Secret agent information. The `secrets-address-port` value is given in the format` `. `TLS-name` is optional and only required if TLS is configured for Secret Agent. To fetch secret values for the supported configuration parameters from the external secret manager, you must specify that configuration value in `secrets:[resource:]key` format. | Parameter | Required | Description | | --- | --- | --- | | `secrets:` | Required | Mandatory prefix that tells the system to fetch the value from an external secret manager. | | `resource` | Required (as of Secret Agent 1.3.0, the agent always validates the resource name). | Name of the resource in the Secret Agent configuration file. The secret is retrieved from the path associated with this resource. See the Secret Agent [configuration documentation](https://aerospike.com/docs/database/tools/secret-agent/) for details. | | `key` | Required | Identifies the specific secret entry. \- **AWS**: A single secret can contain multiple key–value pairs. `key` selects which pair to use. \- **GCP**: A secret contains a single value. `key` is cross-checked to ensure it matches part of the resource path. | In the previous example, `TestingSecret` is an alias for a resource in Secret Agent’s configuration file. `FeatureKey` is an identifier for the actual base64-encoded feature key file stored in an external secret manager. For more information, see [Aerospike Secret Management Services](https://aerospike.com/docs/database/manage/security/secrets)