# This file shows an example of how to mount keystore files for PingDirectory # from secrets in a Hashicorp Vault cluster. # # See https://helm.pingidentity.com/config/vault/ for details on using Vault with # the ping-devops Helm chart. # # See https://learn.hashicorp.com/collections/vault/kubernetes for more information # on using Vault with Kubernetes. pingdirectory: enabled: true rbac: # Define the service account used by Vault here serviceAccountName: internal-app # These env variables point to the keystore files that will be injected by Vault envs: KEYSTORE_FILE: /run/secrets/mykeystore.jks KEYSTORE_PIN_FILE: /run/secrets/mykeystore.pin vault: enabled: true hashicorp: annotations: # Uncomment to add more logging information to the Vault agent initContainer #log-level: debug # Define the Vault role to be used when injecting secrets role: internal-app # In order to mount the keystore file on the image and decode it to the proper # binary format, the following five annotations must be defined. The # "-mykeystore.jks" annotation suffix marks the corresponding annotations. # Define the Vault secret being used agent-inject-secret-mykeystore.jks: internal/keystores # Define the name of the file that will be mounted to the PingDirectory container agent-inject-file-mykeystore.jks: mykeystore-base64 # Define the path on image where the above file is placed. # /run/secrets will not persist the encoded file to permanent storage. # See https://devops.pingidentity.com/how-to/usingVault/#using-tmpfs-for-secrets secret-volume-path-mykeystore.jks: /run/secrets # Define the template that extracts the keystore from the Vault secret to place # in the above file. ".Data.data.mykeystore" refers to the "mykeystore" key in the Vault secret. agent-inject-template-mykeystore.jks: | {{- with secret "internal/keystores" }} {{- .Data.data.mykeystore }} {{- end }} # Define a command to decode the keystore from base64 when mounting. # This annotation will not be necessary when no decoding is necessary # (when using a secret that is not encoded). agent-inject-command-mykeystore.jks: bin/sh -c "base64 -d /run/secrets/mykeystore-base64 > /run/secrets/mykeystore.jks && rm /run/secrets/mykeystore-base64" # The following four annotations mount a corresponding mykeystore.pin file from the # the "mykeystorepin" key in the "internal/keystores" Vault secret. agent-inject-secret-mykeystore.pin: internal/keystores agent-inject-file-mykeystore.pin: mykeystore.pin secret-volume-path-mykeystore.pin: /run/secrets agent-inject-template-mykeystore.pin: | {{- with secret "internal/keystores" }} {{- .Data.data.mykeystorepin }} {{- end }}