Kubernetes - Use Monopam to Configure Secret Store

This document will help you to configure Kubernetes to use Monopam Vault for Secret Storage. Before you continue, you need to make sure you have a valid license and configuration on your Monopam.

Monopam uses External Secrets Operator (ESO) to bind Monopam credentials to Kubernetes.

To configure your Monopam Vault to use in Kubernetes, follow the instructions.

📘 Instructions

This documentation will contain 5 steps for integration.

Install External Secrets Operator (ESO) to Kubernetes
Create Monopam Access Key
Add Monopam Access Key to Secret Storage
Configure External Secrets Operator in Kubernetes
Map your Monopam Vault Item (Credential) to the Kubernetes
1. Read Secret Text
2. Read UserName and Password
Test Vault with Example Deployment

Highlight important information in a panel like this one. To edit this panel's color or style, select one of the options in the menu.

1. Install External Secrets Operator (ESO) to Kubernetes

You can follow the installation document of External Secrets Operator.

If you already have External Secrets Operator, you can skip this step.

🖥️ External Secrets Operator - Getting Started

2. Create Monopam Access Key

To access vault items from Monopam API, you need to create an Access Key in Monopam. You can follow the instructions.

Sign in to your Monopam Environment.

Go to the Access Keys
Add New
Give your Access Key a Name
Copy you Access Key (We are gonna use it on Kubernetes)
Click OK

You have successfully created your Access Key.

If you want to allow this access key to read a vault item, you need to add that vault item to the Access Key.

Click the Vault
Go to the your Vault Item
Click the “:” button on the top of the right
Select your Access Key on the list and Click OK.

3. Add Monopam Access Key to Secret Storage

Now we need to store Monopam Access Key in Kubernetes Secret Storage.

Namespace Information

After you installing External Secrets Operator, it will also create a namespace external-sercrets. All our deployment of this dependency will be there. If you want custom namespace for your secrets and dependency, you may need configure your namespace definitions.

Use the following deployment file to create Monopam Access Key in Kubernetes

YAML

apiVersion: v1
kind: Secret
metadata:
  name: monopam-vault-access-key
  namespace: external-secrets
stringData:
  apikey: "XXXXXX-YYYYYY-ZZZZ-AAAA-TTTTTTTTT" # Your Monopam Vault Access Key

4. Configure External Secrets Operator in Kubernetes

Deploy following YAML file in your Kubernetes.

Before doing this change the <MONOPAM-URL> with your instance URL.

YAML

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: monopam-vault-store
  namespace: external-secrets
spec:
  provider:
    webhook:
      url: "https://<MONOPAM-URL>/api/v1/vault/{{ .remoteRef.key }}"
      result:
        jsonPath: "$.data.{{ .remoteRef.property }}"
      headers:
        Content-Type: application/json
        MonoPam-Vault-Access-Key: "{{ print .auth.apikey }}"
      secrets:
        - name: auth
          secretRef:
            name: monopam-vault-access-key
            namespace: external-secrets # Only used in ClusterSecretStores

5. Map your Monopam Vault Item (Credential) to the Kubernetes

Deploy the following YAML file. Before doing it change the following parameters.

Parameter	Description
`<TARGET-SECRET-NAME-ON-K8S>`	This is your Kubernetes Secret name to put secret/username/password in.
`<SOURCE-SECRET-NAME-ON-MONOPAM>`	This is your Monopam Vault Item Name to read from.
`<WHERE-TO-BIND>`	Which parameter do you want to bind on Kubernetes.
`<WHICH-PROPERTY-TO-READ>`	Which property do you want to read from Monopam Vault of the Vault Item / Credential. Available Parameters; `UserName`, `Password`, `SecretText`
`<TARGET-NAMESPACE>`	Which namespace Secret should be mapped / created.
refreshInterval	RefreshInterval is the amount of time before the values reading again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" (from time.ParseDuration) May be set to zero to fetch and create it once 15s means, Kubernetes will fetch the credential from Monopam’s Vault every 15s.

Read - SecretText

YAML

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: <TARGET-SECRET-NAME-ON-K8S>
  namespace: <TARGET-NAMESPACE>
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: monopam-vault-access
    kind: ClusterSecretStore
  target:
    name: <TARGET-SECRET-NAME-ON-K8S>
  data:
    - secretKey: SecretText
      remoteRef:
        key: "<VAULT-ITEM-NAME-OR-ID-ON-MONOPAM>"
        property: <WHICH-PROPERTY-TO-READ>

Read - UserName and Password

YAML

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: <TARGET-SECRET-NAME-ON-K8S>
  namespace: <TARGET-NAMESPACE>
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: monopam-vault-access
    kind: ClusterSecretStore
  target:
    name: <TARGET-SECRET-NAME-ON-K8S>
  data:
    - secretKey: username
      remoteRef:
        key: "<VAULT-ITEM-NAME-OR-ID-ON-MONOPAM>"
        property: UserName
    - secretKey: password
      remoteRef:
        key: "<VAULT-ITEM-NAME-OR-ID-ON-MONOPAM>"
        property: Password

6. Test Vault with Example Deployment

This deployment is used to verify whether the password or secrets obtained through Monopam are applied to the pod as an environment or not.

YAML

#This is a example deployment for Kubernetes to test Monopam Vault items.
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: monofor-test
  name: monofor-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: monofor-test
  template:
    metadata:
      labels:
        app: monofor-test
    spec:
      hostname: monofor-test
      restartPolicy: Always
      containers:
        - image: nginx
          name: monofor-test
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 250m
              memory: 256Mi
          env:
            # This env for user-pass
            - name: TEST_USERNAME
              valueFrom:
                secretKeyRef:
                  name: monopam-test-user-pass
                  key: username
            - name: TEST_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: monopam-test-user-pass
                  key: password
            # This is for secretText
            - name: TEST_SECRET
              valueFrom:
                secretKeyRef:
                  name: monopam-test-secret
                  key: SecretText

Copy and save below example as a monofor-test.yaml

Deploy with kubectl apply -f monofor-test.yaml

Then check pod is working or not

BASH

kubectl get pods

Now you can verify environment which is obtained from secrets.

BASH

kubectl exec -it monofor-test-66bcfccbdd-l2gv6 -- /bin/sh -c 'env | grep TEST_'

It can be delete test deployment with below command

YAML

kubectl delete -f monofor-test.yaml

Finish

This will help you to create and map Kubernetes Secrets from Monopam.

Knowledge Base

Vault Item Types for Read Vault Item

Vault Item Type	Properties
UserName and Password	`UserName`, `Password`, `Domain`
PKI	`UserName`, `Passphrase`, `PrivateKey`
Secret Text	`SecretText`
OTP	`Code`