Skip to main content
Skip table of contents

Kubernetes - Use Monopam to Configure Secret Store

This document will help you to configure Kubernetes to use Monopam Vault for Secret Storage. Before you continue, you need to make sure you have a valid license and configuration on your Monopam.

Monopam uses External Secrets Operator (ESO) to bind Monopam credentials to Kubernetes.

To configure your Monopam Vault to use in Kubernetes, follow the instructions.

📘 Instructions

This documentation will contain 5 steps for integration.

  1. Install External Secrets Operator (ESO) to Kubernetes

  2. Create Monopam Access Key

  3. Add Monopam Access Key to Secret Storage

  4. Configure External Secrets Operator in Kubernetes

  5. Map your Monopam Vault Item (Credential) to the Kubernetes

    1. Read Secret Text

    2. Read UserName and Password

  6. Test Vault with Example Deployment

Highlight important information in a panel like this one. To edit this panel's color or style, select one of the options in the menu.

1. Install External Secrets Operator (ESO) to Kubernetes

You can follow the installation document of External Secrets Operator.

If you already have External Secrets Operator, you can skip this step.

🖥️ External Secrets Operator - Getting Started

2. Create Monopam Access Key

To access vault items from Monopam API, you need to create an Access Key in Monopam. You can follow the instructions.

Sign in to your Monopam Environment.

  1. Go to the Access Keys

  2. Add New

  3. Give your Access Key a Name

  4. Copy you Access Key (We are gonna use it on Kubernetes)

  5. Click OK

You have successfully created your Access Key.

If you want to allow this access key to read a vault item, you need to add that vault item to the Access Key.

  1. Click the Vault

  2. Go to the your Vault Item

  3. Click the “:” button on the top of the right

  4. Select your Access Key on the list and Click OK.

3. Add Monopam Access Key to Secret Storage

Now we need to store Monopam Access Key in Kubernetes Secret Storage.

Namespace Information

After you installing External Secrets Operator, it will also create a namespace external-sercrets. All our deployment of this dependency will be there. If you want custom namespace for your secrets and dependency, you may need configure your namespace definitions.

Use the following deployment file to create Monopam Access Key in Kubernetes

YAML
apiVersion: v1
kind: Secret
metadata:
  name: monopam-vault-access-key
  namespace: external-secrets
stringData:
  apikey: "XXXXXX-YYYYYY-ZZZZ-AAAA-TTTTTTTTT" # Your Monopam Vault Access Key

4. Configure External Secrets Operator in Kubernetes

Deploy following YAML file in your Kubernetes.

Before doing this change the <MONOPAM-URL> with your instance URL.

YAML
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: monopam-vault-store
  namespace: external-secrets
spec:
  provider:
    webhook:
      url: "https://<MONOPAM-URL>/api/v1/vault/{{ .remoteRef.key }}"
      result:
        jsonPath: "$.data.{{ .remoteRef.property }}"
      headers:
        Content-Type: application/json
        MonoPam-Vault-Access-Key: "{{ print .auth.apikey }}"
      secrets:
        - name: auth
          secretRef:
            name: monopam-vault-access-key
            namespace: external-secrets # Only used in ClusterSecretStores

5. Map your Monopam Vault Item (Credential) to the Kubernetes

Deploy the following YAML file. Before doing it change the following parameters.

Parameter

Description

<TARGET-SECRET-NAME-ON-K8S>

This is your Kubernetes Secret name to put secret/username/password in.

<SOURCE-SECRET-NAME-ON-MONOPAM>

This is your Monopam Vault Item Name to read from.

<WHERE-TO-BIND>

Which parameter do you want to bind on Kubernetes.

<WHICH-PROPERTY-TO-READ>

Which property do you want to read from Monopam Vault of the Vault Item / Credential.

Available Parameters; UserName, Password, SecretText

<TARGET-NAMESPACE>

Which namespace Secret should be mapped / created.

refreshInterval

RefreshInterval is the amount of time before the values reading again from the SecretStore provider

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" (from time.ParseDuration)

May be set to zero to fetch and create it once

15s means, Kubernetes will fetch the credential from Monopam’s Vault every 15s.

Read - SecretText

YAML
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: <TARGET-SECRET-NAME-ON-K8S>
  namespace: <TARGET-NAMESPACE>
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: monopam-vault-access
    kind: ClusterSecretStore
  target:
    name: <TARGET-SECRET-NAME-ON-K8S>
  data:
    - secretKey: SecretText
      remoteRef:
        key: "<VAULT-ITEM-NAME-OR-ID-ON-MONOPAM>"
        property: <WHICH-PROPERTY-TO-READ>

Read - UserName and Password

YAML
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: <TARGET-SECRET-NAME-ON-K8S>
  namespace: <TARGET-NAMESPACE>
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: monopam-vault-access
    kind: ClusterSecretStore
  target:
    name: <TARGET-SECRET-NAME-ON-K8S>
  data:
    - secretKey: username
      remoteRef:
        key: "<VAULT-ITEM-NAME-OR-ID-ON-MONOPAM>"
        property: UserName
    - secretKey: password
      remoteRef:
        key: "<VAULT-ITEM-NAME-OR-ID-ON-MONOPAM>"
        property: Password

6. Test Vault with Example Deployment

This deployment is used to verify whether the password or secrets obtained through Monopam are applied to the pod as an environment or not.

YAML
#This is a example deployment for Kubernetes to test Monopam Vault items.
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: monofor-test
  name: monofor-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: monofor-test
  template:
    metadata:
      labels:
        app: monofor-test
    spec:
      hostname: monofor-test
      restartPolicy: Always
      containers:
        - image: nginx
          name: monofor-test
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 250m
              memory: 256Mi
          env:
            # This env for user-pass
            - name: TEST_USERNAME
              valueFrom:
                secretKeyRef:
                  name: monopam-test-user-pass
                  key: username
            - name: TEST_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: monopam-test-user-pass
                  key: password
            # This is for secretText
            - name: TEST_SECRET
              valueFrom:
                secretKeyRef:
                  name: monopam-test-secret
                  key: SecretText

Copy and save below example as a monofor-test.yaml

Deploy with kubectl apply -f monofor-test.yaml

Then check pod is working or not

BASH
kubectl get pods

Now you can verify environment which is obtained from secrets.

BASH
kubectl exec -it monofor-test-66bcfccbdd-l2gv6 -- /bin/sh -c 'env | grep TEST_'

It can be delete test deployment with below command

YAML
kubectl delete -f monofor-test.yaml

Finish

This will help you to create and map Kubernetes Secrets from Monopam.

Knowledge Base

Vault Item Types for Read Vault Item

Vault Item Type

Properties

UserName and Password

UserName, Password, Domain

PKI

UserName, Passphrase, PrivateKey

Secret Text

SecretText

OTP

Code

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.