Introduction
This guide describes how to integrate a Red Hat OpenShift cluster with Keycontrol Vault Secrets vault.
OpenShift is an application hosting platform by Red Hat. It makes it easy for developers to quickly build, launch, and scale container-based web applications in a public cloud environment.
This integration allows pulling secrets from a secrets vault in Keycontrol Vault and mount them as either environment variables or as volume mounts in containers. It focuses on the way one can pull secrets within OpenShift pods/containers using Entrust’s Secrets vault. For other details on the vault, please refer to the Entrust Keycontrol (KCV) documentation.
Integration architecture
OpenShift cluster
In this integration, a Red Hat OpenShift cluster is deployed on a VMware vSphere instance. Container images are used from a third-party cloud registry.
Container images
Two container images were created for the purpose of this integration to demonstrate how secrets can be pulled into a container from Keycontrol Vault.
Another two images are deployed to support the integration. These images comes from the PASM Vault Kubernetes Agent v1.0. The images are available at: https://github.com/EntrustCorporation/PASM-Vault-Kubernetes-Agent/releases
Docker Registry
An external docker registry is required. This is where the container images from the PASM Kubernet agents will be stored and reference by the OpenShift containers when created.
Product configurations
Entrust has successfully tested the integration of KeyControl Secrets Vault with Red Hat OpenShift in the following configurations:
| Product | Version |
|---|---|
Base OS |
Red Hat Enterprise Linux release 9.4 (Plow) |
OpenShift |
4.14.7 |
VMware |
vSphere 8.0.0.10200 |
Keycontrol Vault |
10.3.1 |
PASM Vault Kubernetes Agent |
1.0 |