Skip to main content
Version: v4.1

Adding native credentials through environment variables

There are many ways to add extra environment variables to a container on Kubernetes. Cyral recommends adding the credentials as secret referencing environment variables.

Prerequisites

  1. Create a Helm 3 Sidecar
  2. Configure your sidecar to use native credentials from environment variables

Add the credentials to your cluster

To add credentials for a repository using kubernetes secrets and environment variables, you need to create a secret containing those credentials in the same namespace as the sidecar you are deploying.

In the next commands, we will define four variables:

  • SIDECAR_NAMESPACE: this will be the namespace that the sidecar will be deployed to
  • SECRET_NAME: this will be the name of the secret that will contain the credentials
  • CREDENTIALS_FILE: this will be the name of the file containing credentials
  • CREDENTIALS_CONTENT: this will be the credential content
kubectl create secret generic \
--from-file credentials=$CREDENTIALS_FILE \
-n $SIDECAR_NAMESPACE $SECRET_NAME

Configure the sidecar to fetch the environment variables from the credentials

With the secret created, you need to add an environment variable to the authenticator field of the values.yaml file used for creating the sidecar.

authenticator:
extraEnvs:
- name: CYRAL_DBSECRETS_<env-var-configured-in-the-control-plane>
valueFrom:
secretKeyRef:
name: $SECRET_NAME
key: credentials

Multiple credentials in a single secret

You can add multiple values on each of the secret creation methods, so that you don't need to update the values.yaml file on each new repository.

kubectl create secret generic \
-n $SIDECAR_NAMESPACE $SECRET_NAME \
--from-file repo1=repo1_credentials.json \
--from-file repo2=repo2_credentials.json
# ...

To add them all, just add multiple environment variables on the values.yaml file.

authenticator:
extraEnvs:
- name: CYRAL_DBSECRETS_<repo1 env var>
valueFrom:
secretKeyRef:
name: $SECRET_NAME
key: repo1
- name: CYRAL_DBSECRETS_<repo2 env var>
valueFrom:
secretKeyRef:
name: $SECRET_NAME
key: repo2
...