Adding native credentials through environment variables

There are many ways to add extra environment variables to a container on Kubernetes. Cyral recommends adding the credentials as secret referencing environment variables.

Prerequisites

1. Create a Helm 3 Sidecar
2. Configure your sidecar to use native credentials from environment variables

Add the credentials to your cluster

To add credentials for a repository using kubernetes secrets and environment variables, you need to create a secret containing those credentials in the same namespace as the sidecar you are deploying.

In the next commands, we will define four variables:

• SIDECAR_NAMESPACE: this will be the namespace that the sidecar will be deployed to
• SECRET_NAME: this will be the name of the secret that will contain the credentials
• CREDENTIALS_FILE: this will be the name of the file containing credentials
• CREDENTIALS_CONTENT: this will be the credential content

Create a secret from a file containing the credentials

kubectl create secret generic \
  --from-file credentials=$CREDENTIALS_FILE \
  -n $SIDECAR_NAMESPACE $SECRET_NAME

Create a secret from a literal in the command line

kubectl create secret generic \
  --from-literal credentials=$CREDENTIALS_CONTENT \
  -n $SIDECAR_NAMESPACE $SECRET_NAME

Create a secret from a secret yaml file

Create a file named secret.yaml with the following contents:

apiVersion: v1
kind: Secret
metadata:
  name: $SECRET_NAME
  namespace: $SIDECAR_NAMESPACE
stringData:
  credentials: |
    $CREDENTIALS_CONTENT

Apply the file on your cluster with kubectl:

kubectl apply -f secret.yaml

Configure the sidecar to fetch the environment variables from the credentials

With the secret created, you need to add an environment variable to the authenticator field of the values.yaml file used for creating the sidecar.

authenticator:
  extraEnvs:
  - name: CYRAL_DBSECRETS_<env-var-configured-in-the-control-plane>
    valueFrom:
      secretKeyRef:
        name: $SECRET_NAME
        key: credentials

Multiple credentials in a single secret

You can add multiple values on each of the secret creation methods, so that you don't need to update the values.yaml file on each new repository.

Create a secret from a file containing the credentials

kubectl create secret generic \
  -n $SIDECAR_NAMESPACE $SECRET_NAME \
  --from-file repo1=repo1_credentials.json \
  --from-file repo2=repo2_credentials.json
  # ...

Create a secret from a literal in the command line

kubectl create secret generic \
  -n $SIDECAR_NAMESPACE $SECRET_NAME \
  --from-literal repo1=<repo1 credentials> \
  --from-literal repo2=<repo2 credentials>
  # ...

Create a secret from a secret yaml file

Create a file named secret.yaml with the following contents:

apiVersion: v1
kind: Secret
metadata:
  name: $SECRET_NAME
  namespace: $SIDECAR_NAMESPACE
stringData:
  repo1: |
    <repo1 credentials>
  repo2: |
    <repo2 credentials>
    ...

Apply the file on your cluster with kubectl:

kubectl apply -f secret.yaml

To add them all, just add multiple environment variables on the values.yaml file.

authenticator:
  extraEnvs:
  - name: CYRAL_DBSECRETS_<repo1 env var>
    valueFrom:
      secretKeyRef:
        name: $SECRET_NAME
        key: repo1
  - name: CYRAL_DBSECRETS_<repo2 env var>
    valueFrom:
      secretKeyRef:
        name: $SECRET_NAME
        key: repo2
  ...