Use HashiCorp Vault to fetch password required by MariaDB MaxScale

rackerlabs · Mar 24, 2024 · f17de43 · f17de43
1 parent 1e063ca
commit f17de43
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md
@@ -47,6 +47,7 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
 kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
     vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
 ```
+
 - MaxScale password:
 ``` shell
 kubectl exec --stdin=true --tty=true vault-0 -n vault -- \

diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml
@@ -3,3 +3,4 @@ resources:
   - vaultauth.yaml
   - vaultconnection.yaml
   - mariadb-root-password.yaml
+  - mariadb-maxscale.yaml
diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml b/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: maxscale
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/mariadb'
+
+# path of the secret
+  path: maxscale
+
+# dest k8s secret
+  destination:
+     name: maxscale
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth