Dynamic Credentials Using HashiCorp Vault
SchemaHero can be configured to use HashiCorp Vault to retrieve database credentials at runtime.
apiVersion: databases.schemahero.io/v1alpha4 kind: Database metadata: name: my-db namespace: namespace spec: connection: postgres: uri: valueFrom: vault: endpoint: http://<vault-endpoint>:8200 serviceAccount: schemahero-vault serviceAccountNamespace: schemahero-vault secret: my-db role: schemahero agentInject: false
|The http(s) endpoint of the vault API. This must be supplied in a way that's accessible from the namespace where the |
|The Kubernetes Service Account to use to authenticate with Vault|
|The namespace that the |
|The name of the Vault secret to retreive|
|The role to use with Vault|
|A boolean indicating if we should use the sideca agent injection or integrate directly with the Vault API.|
SchemaHero supports integrating with Vault using the Agent Sidecar Injector or a direct integration with the Vault API.
In most environments it's preferable to use the vault api and disable the
agentInject attribute in the configuration.
When using templates in Vault to build a connection string, the SchemaHero integration with the Vault API will read the template from the Vault database and use it to create the connection string.
The Agent Injector does not support injecting the connection string, and must be configured separately.
When using the Vault API, a new secret is requested from Vault for each query (plan, apply).
agentInject attribute is enabled, the
serviceAccountNamespace parameters are optional.
In this mode SchemaHero will simply add annotation to the Database controller to allow the Vault Sidecar Injector to add the secret via a mutating webhook admission controller.
When using the Agent Injector option, the same secret is used for the lifetime of the controller.