Passing vHSM secrets using ConfigMaps

Learn to inject vHSM secrets using ConfigMaps to an application running in Kubernetes.

PreviousvHSM Proxy quickstart NextProvisioning MariaDB Password on Azure DCXas_v5 VM

Last updated 2 months ago

Was this helpful?

Passing vHSM secrets using ConfigMaps

Learn to inject vHSM secrets using ConfigMaps to an application running in Kubernetes.

vHSM stores secrets securely, but Kubernetes applications need a way to access them. One method is using This section provides instructions to inject vHSM secrets using ConfigMaps to an application running in Kubernetes.

Prerequisites

Install
Install a Kubernetes cluster

To pass vault secrets using ConfigMaps:

Deploy a sample application

Create a deployment YAML file, named app-deployment.yaml.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        ports:
        - containerPort: 80

Change to the directory that contains the app-deployment.yaml and apply the deployment.
```
kubectl apply -f app-deployment.yaml
```
The output is similar to:
```
deployment.apps/my-app created
```

Verify that the application is deployed.

kubectl get pods

It might takes a couple of minutes for Pods to be in a Running status. The output is similar to:

NAME                      READY   STATUS   RESTARTS   AGE
my-app-86d5bc587d-g85bz   1/1     Running   0          7s
my-app-86d5bc587d-j4x4p   1/1     Running   0          7s

Create a service to expose the application.

kubectl expose deployment my-app --type=NodePort --port=80

Find the port on which the application is running.

kubectl get svc my-app

The output is similar to:

NAME     TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
my-app   NodePort   10.96.114.36   <none>        80:32696/TCP   8s

Port forward the application to access the application in your browser.
```
kubectl port-forward svc/my-app 8080:80
```
Access the application that you deployed in your browser at: http://localhost:8080.

Enable vHSM secrets engine and store the secret

Ensure that vHSM is running and the status is unsealed. For more information about using vHSM CLI, see the vHSM CLI documentation.

vhsm status

The output is similar to:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.3.7-0
Build Date      2025-01-29T15:11:42Z
Storage Type    inmem
Cluster Name    vault-cluster-64dcd906
Cluster ID      d36a3be0-d5ae-380d-58ae-ad2a18b01c6c
HA Enabled      false

Enable KV Secrets Engine, a key-value store that contains secrets in vHSM's physical storage:
```
vhsm secrets enable -path=secret kv-v2
```
The output is similar to:
```
Success! Enabled the kv-v2 secrets engine at: secret/
```

Store a secret in vHSM:

vhsm kv put secret/myapp DB_PASSWORD="super-secret-password"

The output is similar to:

===== Secret Path =====
secret/data/myapp

======= Metadata =======
Key                Value
---                -----
created_time       2025-02-02T06:40:35.316916Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

Create a ConfigMap from vHSM secrets

Retrive the password that you stored in the vHSM server.
```
DB_PASSWORD=$(vault kv get -field=DB_PASSWORD secret/myapp)
```

Create a ConfigMap that would inject the secret from the vHSM.

kubectl create configmap app-config --from-literal=DB_PASSWORD=$DB_PASSWORD

The output is similar to:

configmap/app-config created

Create a new deployment YAML file, named app-with-configmap.yaml.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app-with-configmap
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        env:
        - name: DB_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: DB_PASSWORD

Change to the directory that contains the app-with-configmap.yaml and apply the deployment.
```
kubectl apply -f app-with-configmap.yaml
```
The output is similar to:
```
deployment.apps/my-app-with-configmap created
```

Verify that the application is deployed.

kubectl get pods

The output is similar to:

NAME                                     READY   STATUS    RESTARTS   AGE
my-app-86d5bc587d-g85bz                  1/1     Running   0          8m57s
my-app-86d5bc587d-j4x4p                  1/1     Running   0          8m57s
my-app-with-configmap-6946f8b754-hfhcn   1/1     Running   0          20s

Verify that secrets are passed to the newly deployed application using the command: kubectl exec -it <pod> -- printenv | grep DB_PASSWORD In this case the Pod that is running with the application with ConfigMap is my-app-with-configmap-6946f8b754-hfhcn.
```
kubectl exec -it my-app-with-configmap-6946f8b754-hfhcn -- printenv | grep DB_PASSWORD
```
The output is:
```
DB_PASSWORD=super-secret-password
```
This confirms that the secret for the application is injected to the application using ConfigMaps.

PreviousvHSM Proxy quickstart NextProvisioning MariaDB Password on Azure DCXas_v5 VM

Last updated 2 months ago

Was this helpful?

Prerequisites

Install
Install a Kubernetes cluster

To pass vault secrets using ConfigMaps:

Deploy a sample application

Create a deployment YAML file, named app-deployment.yaml.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        ports:
        - containerPort: 80

Change to the directory that contains the app-deployment.yaml and apply the deployment.
```
kubectl apply -f app-deployment.yaml
```
The output is similar to:
```
deployment.apps/my-app created
```

Verify that the application is deployed.

kubectl get pods

It might takes a couple of minutes for Pods to be in a Running status. The output is similar to:

NAME                      READY   STATUS   RESTARTS   AGE
my-app-86d5bc587d-g85bz   1/1     Running   0          7s
my-app-86d5bc587d-j4x4p   1/1     Running   0          7s

Create a service to expose the application.

kubectl expose deployment my-app --type=NodePort --port=80

Find the port on which the application is running.

kubectl get svc my-app

The output is similar to:

NAME     TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
my-app   NodePort   10.96.114.36   <none>        80:32696/TCP   8s

Port forward the application to access the application in your browser.
```
kubectl port-forward svc/my-app 8080:80
```
Access the application that you deployed in your browser at: http://localhost:8080.

Enable vHSM secrets engine and store the secret

Ensure that vHSM is running and the status is unsealed. For more information about using vHSM CLI, see the vHSM CLI documentation.

vhsm status

The output is similar to:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.3.7-0
Build Date      2025-01-29T15:11:42Z
Storage Type    inmem
Cluster Name    vault-cluster-64dcd906
Cluster ID      d36a3be0-d5ae-380d-58ae-ad2a18b01c6c
HA Enabled      false

Enable KV Secrets Engine, a key-value store that contains secrets in vHSM's physical storage:
```
vhsm secrets enable -path=secret kv-v2
```
The output is similar to:
```
Success! Enabled the kv-v2 secrets engine at: secret/
```

Store a secret in vHSM:

vhsm kv put secret/myapp DB_PASSWORD="super-secret-password"

The output is similar to:

===== Secret Path =====
secret/data/myapp

======= Metadata =======
Key                Value
---                -----
created_time       2025-02-02T06:40:35.316916Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

Create a ConfigMap from vHSM secrets

Retrive the password that you stored in the vHSM server.
```
DB_PASSWORD=$(vault kv get -field=DB_PASSWORD secret/myapp)
```

Create a ConfigMap that would inject the secret from the vHSM.

kubectl create configmap app-config --from-literal=DB_PASSWORD=$DB_PASSWORD

The output is similar to:

configmap/app-config created

Create a new deployment YAML file, named app-with-configmap.yaml.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app-with-configmap
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nginx
        env:
        - name: DB_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: DB_PASSWORD

Change to the directory that contains the app-with-configmap.yaml and apply the deployment.
```
kubectl apply -f app-with-configmap.yaml
```
The output is similar to:
```
deployment.apps/my-app-with-configmap created
```

Verify that the application is deployed.

kubectl get pods

The output is similar to:

NAME                                     READY   STATUS    RESTARTS   AGE
my-app-86d5bc587d-g85bz                  1/1     Running   0          8m57s
my-app-86d5bc587d-j4x4p                  1/1     Running   0          8m57s
my-app-with-configmap-6946f8b754-hfhcn   1/1     Running   0          20s

Verify that secrets are passed to the newly deployed application using the command: kubectl exec -it <pod> -- printenv | grep DB_PASSWORD In this case the Pod that is running with the application with ConfigMap is my-app-with-configmap-6946f8b754-hfhcn.
```
kubectl exec -it my-app-with-configmap-6946f8b754-hfhcn -- printenv | grep DB_PASSWORD
```
The output is:
```
DB_PASSWORD=super-secret-password
```
This confirms that the secret for the application is injected to the application using ConfigMaps.