Introduction

Entrust KeyControl has been rebranded as the Entrust Cryptographic Security Platform (CSP) Key Manager.

The Entrust CSP Key Manager continues to provide a comprehensive solution for discovering and managing the lifecycles of cryptographic keys, secrets, certificates, tokens, libraries, protocols, and configurations:

The KeyControl Compliance Manager is now the Entrust CSP Compliance Manager. It still integrates with Entrust nShield Hardware Security Modules (HSMs) to protect the master keys for the CSP.
KeyControl Vault is now the Entrust Cryptographic Security Platform Vault. The Cryptographic Security Platform Vaults also still integrate with Entrust nShield HSMs to provide an optional HSM root of trust.

Because the Entrust integrations are tested against specific product versions, this guide is still branded as a "KeyControl" integration. It was tested against a pre-CSP version of KeyControl.

Exercise caution when using an Entrust Integration Guide with a product version that does not match the tested version, because your version might not function in exactly the same way.

Entrust cannot guarantee the success of integrations in configurations other than those indicated in the guide. This guide remains on the website for customers using pre-CSP versions of KeyControl.

This guide describes how to integrate a Kubernetes cluster with KeyControl Secrets Vault.

Kubernetes is an open-source system that automates the deployment, management, and scaling of containerized applications. It makes it easy for developers to quickly build, launch, and scale container-based web applications in a public cloud environment.

This integration allows pulling secrets from a secrets vault in KeyControl Vault and mount them as either environment variables or as volume mounts in containers. It focuses on the way one can pull secrets into Kubernetes pods or containers using a KeyControl Secrets Vault. For other details on the vault, please refer to the Entrust KeyControl Vault (KCV) documentation.

Integration architecture

Kubernetes cluster

In this integration, a Kubernetes K3s cluster is deployed on a Red Hat Linux VM. Container images are used from a third-party cloud registry.

Container images

Two container images are created for the purpose of this integration to demonstrate how secrets can be pulled into a container from KeyControl Vault.

Two more images are deployed to support the integration. These images come from the PASM Vault Kubernetes Agent v1.0. They are available at https://github.com/EntrustCorporation/PASM-Vault-Kubernetes-Agent/releases.

Docker Registry

An external Docker registry is required. This is where the container images from the PASM Kubernetes agents will be stored and referenced by the Kubernetes containers when they are created.

Product configurations

Entrust has successfully tested the integration KeyControl Secrets Vault with Kubernetes in the following configurations:

Product	Version
Base OS	Red Hat Enterprise Linux release 9.4 (Plow)
Kubernetes (K3s)	1.30.4
KeyControl Vault	10.3.1
PASM Vault Kubernetes Agent	1.0

Product

Version

Base OS

Red Hat Enterprise Linux release 9.4 (Plow)

Kubernetes (K3s)

1.30.4

KeyControl Vault

10.3.1

PASM Vault Kubernetes Agent

1.0

Requirements

Before starting the integration process

Familiarize yourself with:

The documentation for the Entrust KeyControl Vault.
The documentation and setup process for a Kubernetes cluster.