Integrate Secret management services
Overview
Aerospike Database can fetch sensitive configurations from secret management services using an intermediate process called Secret Agent. The agent runs as a sidecar and acts as a proxy between Aerospike and the Secret Management service such as the AWS Secrets Manager.
Add Aerospike Secret Agent sidecar
spec:... podSpec: sidecars: - name: secret-agent image: aerospike/aerospike-secret-agent:1.2.3 args: - -config-file=/etc/aerospike/secret-agent/config.yaml # This path can be changed to match the secret-agent secret mount pathCreate Aerospike Secret Agent configuration secret
Aerospike Secret Agent requires a configuration file config.yaml to configure the listening port, TLS, socket and to connect to secrets management services.
The following is an example configuration file:
service: tcp: endpoint: 0.0.0.0:3005
secret-manager: aws: region: us-west-1 resources: TestingSecret: arn:aws:secretsmanager:us-west-1:999999999999:secret:TestingSecret-tN6s2j # Secret ARN access-key-id: <access-key-id> secret-access-key: <secret-access-key>log: level: infoFor all configuration parameters, see Aerospike Secret Agent
Create a Kubernetes secret using the previously shown configuration file config.yaml in the namespace where Aerospike Cluster will be created.
kubectl -n <namespace> create secret generic aerospike-agent-secret --from-file=config.yamlAdd Aerospike Secret Agent mount configuration in AKO CR
Add volume mount configuration in the AKO CR to mount the secret created previously.
storage: filesystemVolumePolicy: cascadeDelete: true initMethod: deleteFiles blockVolumePolicy: cascadeDelete: true volumes: ... - name: aerospike-agent-secret source: secret: secretName: aerospike-agent-secret sidecars: - containerName: secret-agent path: /etc/aerospike/secret-agentAdd Secret Agent configuration in Aerospike Database
The following example shows a Secret Agent configuration in Aerospike Database to set up the communication between server and agent.
aerospikeConfig: service: feature-key-file: secrets:TestingSecret:FeatureKey secrets-address-port: 127.0.0.1 3005
security: {}
network: service: port: 3000 heartbeat: port: 3002 fabric: port: 3001
namespaces: - name: test replication-factor: 2 storage-engine: type: device devices: - /test/dev/xvdfThe parameter service.secrets-address-port specifies the Secret agent information.
The secrets-address-port value is given in the format<Agent-IP> <Agent-Listen-Port> <TLS-name>.
TLS-name is optional and only required if TLS is configured for Secret Agent.
To fetch secret values for the supported configuration parameters from the external secret manager, you must specify that configuration value in secrets:[resource:]key format.
-
secrets:- A required prefix. It indicates that the configuration parameter value will be fetched from the external secret manager. -
resource- Resource name in Secret Agent’s configuration file. This is an optional field if a single resource name is mentioned in the secret agent’s configuration file. Otherwise it is required. The secret will be fetched from the path corresponding to the resource name.Refer to the Secret Agent configuration documentation for more information.
-
key- Required field. It identifies the secret to be fetched.AWS allows multiple key-values in one secret.
keyfield determines which key-value will be fetched.GCP allows single value in one secret.
keyfield is used only to cross-check that it is a substring of the resource path to avoid user mistakes.
In the previous example, TestingSecret is an alias for a resource in
Secret Agent’s configuration file. FeatureKey is an identifier for the
actual base64-encoded feature key file stored in an external secret manager.
For more information, see Aerospike Secret Management Services