Integrate Secret management services with Aerospike on Kubernetes
For the complete documentation index see: llms.txt
All documentation pages available in markdown.
Aerospike Database can fetch sensitive configuration values from secret management services by using Aerospike Secret Agent. The agent runs as a sidecar and proxies requests between Aerospike Database and a secret management service such as AWS Secrets Manager.
Add Aerospike Secret Agent sidecar
spec: podSpec: sidecars: - name: secret-agent image: aerospike/aerospike-secret-agent:1.2.3 args: - -config-file=/etc/aerospike/secret-agent/config.yaml # This path can be changed to match the secret-agent secret mount pathCreate Aerospike Secret Agent configuration secret
Aerospike Secret Agent requires a configuration file config.yaml to configure the listening port, TLS, socket and to connect to secrets management services.
The following is an example configuration file:
service: tcp: endpoint: 0.0.0.0:3005
secret-manager: aws: region: us-west-1 resources: TestingSecret: arn:aws:secretsmanager:us-west-1:999999999999:secret:TestingSecret-tN6s2j # Secret ARN access-key-id: ACCESS_KEY_ID secret-access-key: SECRET_ACCESS_KEYlog: level: infoFor all configuration parameters, see Aerospike Secret Agent.
Create a Kubernetes secret using the previously shown configuration file config.yaml in the namespace where Aerospike Cluster will be created.
kubectl -n NAMESPACE create secret generic aerospike-agent-secret --from-file=config.yamlAdd Aerospike Secret Agent mount configuration in AKO CR
Add volume mount configuration in the AKO CR to mount the secret created previously.
storage: filesystemVolumePolicy: cascadeDelete: true initMethod: deleteFiles blockVolumePolicy: cascadeDelete: true volumes: - name: aerospike-agent-secret source: secret: secretName: aerospike-agent-secret sidecars: - containerName: secret-agent path: /etc/aerospike/secret-agentAdd Secret Agent configuration in Aerospike Database
The following example shows how to configure Secret Agent in Aerospike Database so the server can communicate with the agent.
aerospikeConfig: service: feature-key-file: secrets:TestingSecret:FeatureKey secrets-address-port: 127.0.0.1 3005
security: {}
network: service: port: 3000 heartbeat: port: 3002 fabric: port: 3001
namespaces: - name: test replication-factor: 2 storage-engine: type: device devices: - /test/dev/xvdfThe service.secrets-address-port parameter specifies the Secret Agent connection information.
The secrets-address-port value uses the format AGENT_IP AGENT_LISTEN_PORT TLS_NAME.
TLS_NAME is optional and required only if TLS is configured for Secret Agent.
To fetch secret values for the supported configuration parameters from the external secret manager, you must specify that configuration value in secrets:[resource:]key format.
| Parameter | Required | Description |
|---|---|---|
secrets: | Required | Mandatory prefix that tells the system to fetch the value from an external secret manager. |
resource | Required (as of Secret Agent 1.3.0, the agent always validates the resource name). | Name of the resource in the Secret Agent configuration file. The secret is retrieved from the path associated with this resource. See the Secret Agent configuration documentation for details. |
key | Required | Identifies the specific secret entry. - AWS: A single secret can contain multiple key–value pairs. key selects which pair to use.- GCP: A secret contains a single value. key is cross-checked to ensure it matches part of the resource path. |
In the previous example, TestingSecret is an alias for a resource in the Secret Agent configuration file. FeatureKey identifies the base64-encoded feature-key file stored in the external secret manager.
For more information, see Aerospike Secret Management Services.