Using Vault with Messaging Topology Kubernetes Operator
If the RabbitmqClusters managed by the Messaging Topology Operator are configured to have their default user credentials stored in Vault, it may be necessary to configure the Topology Operator with some additional Vault related settings.
Prerequisites
This guide assumes you have the following:
- The RabbitMQ Cluster Operator and Messaging Topology Operator are installed on the Kubernetes cluster
- A Vault server is installed on the Kubernetes cluster
- A Vault role must be declared in Vault for the topology operator to use. By default, the topology operator will use a vault role with the name
messaging-topology-operator
. Should we declared a Vault role with a different name, we have to configure the operator by overriding the environment variableOPERATOR_VAULT_ROLE
- RabbitMQ's secret in Vault uses KV secrets engine version 2 only
Additional configuration
In order for the RabbitMQ Messaging Topology operator to authenticate with a Vault server and access RabbitMQ cluster default user credentials it is necessary for the operator container to have the VAULT_ADDR
environment
variable set to the URL of the Vault server API.
The following environment variables may be optionally set if the defaults are not applicable.
OPERATOR_VAULT_ROLE
the name of the Vault role that is used when accessing credentials. Defaults tomessaging-topology-operator
OPERATOR_VAULT_NAMESPACE
the Vault namespace to use when the Messaging Topology operator is authenticating. If not set then the default Vault namespace is assumed. Vault Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy (or SMT) within a single Vault infrastructure. The topology operator assumes that all RabbitmqClusters whose default user credentials are stored in Vault, belong to the same Vault Namespace, or tenant. The default Namespace is the blank namespace.OPERATOR_VAULT_AUTH_PATH
the auth path that the operator ought to use when authenticating to Vault. Default behaviour is to use theauth/kubernetes
path
Check out the Messaging Topology Operator's example vault-support where you can find two convenient scripts that walk you through the required configuration.
Limitations
- Messaging Topology Operator will not be able to manage RabbitmqClusters that have their default user credentials in different Vault
Namespaces