From 7a37f244b6671d77d8a03b3b68e570e0996e132e Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael Date: Fri, 26 Sep 2025 13:09:17 -0500 Subject: [PATCH 1/6] vault docs --- content/operate/kubernetes/security/vault.md | 734 +++++++++++++++++++ 1 file changed, 734 insertions(+) create mode 100644 content/operate/kubernetes/security/vault.md diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md new file mode 100644 index 0000000000..88890103a3 --- /dev/null +++ b/content/operate/kubernetes/security/vault.md @@ -0,0 +1,734 @@ +--- +Title: Integrate Redis Enterprise operator with HashiCorp Vault +alwaysopen: false +categories: +- docs +- operate +- kubernetes +description: Configure HashiCorp Vault as the centralized secret management system for Redis Enterprise for Kubernetes. +linkTitle: HashiCorp Vault integration +weight: 97 +--- + +# Integrate Redis Enterprise operator with HashiCorp Vault + +## Overview + +HashiCorp Vault can be configured as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging. + +### What secrets are managed by Vault? + +When Vault integration is enabled, all secrets referenced in Redis Enterprise custom resources are retrieved from Vault instead of Kubernetes secrets, including: + +- Cluster credentials - Admin username/password for Redis Enterprise clusters +- Database credentials - Passwords for Redis databases +- TLS certificates - API, cluster management, proxy, syncer, and LDAP client certificates +- License keys - Redis Enterprise license information +- Backup credentials - Access keys for S3, Azure Blob, GCS, Swift, and SFTP storage +- LDAP credentials - Authentication details for LDAP servers +- Replica source credentials - TLS certificates for cross-cluster replication + +For complete details on supported secrets, see the [RedisEnterpriseCluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) and [RedisEnterpriseDatabase API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). + +### Key benefits + +- Centralized secret management - Single source of truth for all secrets +- Enhanced security - Vault's encryption, access controls, and audit logging +- Secret rotation - Automated credential rotation capabilities +- Compliance - Meet regulatory requirements with comprehensive audit trails +- Multi-environment support - Consistent secret management across dev/staging/prod + +{{}} +When using OpenShift, replace `kubectl` commands with `oc` throughout this guide. +{{}} +## Prerequisites + +Before integrating Redis Enterprise operator with HashiCorp Vault, ensure you have the following components properly configured: + +### HashiCorp Vault Requirements + +- Vault Instance: Deploy HashiCorp Vault with network connectivity from your Kubernetes cluster + - Tested Version: HashiCorp Vault v1.15.2 (other versions may work but are not officially tested) + - TLS Required: Vault must be configured with TLS encryption + - High Availability: Recommended for production environments + +- Authentication Method: Configure Kubernetes authentication method in Vault + - Enables Kubernetes service accounts to authenticate with Vault + - See [HashiCorp's Kubernetes Auth documentation](https://developer.hashicorp.com/vault/docs/auth/kubernetes) + +- Secret Engine: Enable and configure KV version 2 secret engine + - Default mount path: `secret/` (configurable) + - Used to store all Redis Enterprise secrets + - Supports versioning and metadata + +### Kubernetes Requirements + +- Vault Agent Injector: Deploy the HashiCorp Vault Agent Injector + - Enables automatic secret injection into pods + - See [Vault Agent Injector tutorial](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar) + +- Network Access: Ensure Kubernetes cluster can reach Vault + - Configure appropriate network policies and firewall rules + - Vault typically runs on port 8200 (HTTPS) + +- Service Accounts: Proper RBAC configuration for operator service accounts + +### Vault Enterprise considerations + +This guide assumes HashiCorp Vault Enterprise with namespace support: +- **Vault namespaces**: Logical isolation within Vault (not Kubernetes namespaces) +- **Multi-tenancy**: Separate Redis Enterprise deployments by Vault namespace +- **Advanced features**: Audit logging, performance replication, disaster recovery + +{{}} +For Vault Community Edition, omit all `VAULT_NAMESPACE` parameters and `-namespace` flags from commands. +{{}} + +### Minimum token TTL + +Configure Vault token policies with minimum TTL of 1 hour: +- Prevents frequent token renewal overhead +- Ensures stable operation during maintenance windows +- See [Vault token management](https://developer.hashicorp.com/vault/tutorials/tokens/token-management) + +## Architecture overview + +Understanding the integration architecture helps ensure proper configuration and troubleshooting. + +### Components and data flow + +``` +┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐ +│ Kubernetes │ │ HashiCorp Vault │ │ Redis Enterprise│ +│ Cluster │ │ │ │ Cluster │ +│ │ │ │ │ │ +│ ┌─────────────┐ │ │ ┌──────────────┐ │ │ ┌─────────────┐ │ +│ │ Redis │◄┼────┼►│ KV-v2 Store │ │ │ │ Database │ │ +│ │ Enterprise │ │ │ │ │ │ │ │ Instances │ │ +│ │ Operator │ │ │ │ - Credentials│ │ │ │ │ │ +│ └─────────────┘ │ │ │ - Certificates│ │ │ └─────────────┘ │ +│ │ │ │ - Licenses │ │ │ │ +│ ┌─────────────┐ │ │ └──────────────┘ │ │ │ +│ │ Vault │ │ │ │ │ │ +│ │ Agent │ │ │ ┌──────────────┐ │ │ │ +│ │ Injector │ │ │ │ Kubernetes │ │ │ │ +│ └─────────────┘ │ │ │ Auth Method │ │ │ │ +└─────────────────┘ │ └──────────────┘ │ └─────────────────┘ + └──────────────────┘ +``` + +### Authentication flow + +1. **Service Account Authentication**: Redis Enterprise operator uses its Kubernetes service account token +2. **Vault Authentication**: Operator authenticates with Vault using Kubernetes auth method +3. **Token Acquisition**: Vault issues a time-limited token with appropriate policies +4. **Secret Retrieval**: Operator fetches secrets from Vault KV store using the token +5. **Caching**: Secrets are cached locally with configurable expiration times +6. **Token Renewal**: Tokens are automatically renewed before expiration + +### Secret path structure + +Vault secrets follow a hierarchical path structure: +``` +// +``` + +**Default Example**: +``` +secret/data/redisenterprise-redis-ns/my-cluster +secret/data/redisenterprise-redis-ns/my-database-password +secret/data/redisenterprise-redis-ns/tls-certificates +``` + +## Installation and setup + +### Deployment scenarios + +This guide covers the most common deployment scenario with the following assumptions: + +- **Vault Enterprise** with namespace support (adapt for Community Edition by removing namespace parameters) +- **Multiple Redis Enterprise clusters** in the same Kubernetes cluster +- **Namespace isolation** using Kubernetes namespace suffixes for Vault configurations +- **Production security** with proper RBAC and network policies + +{{}} +**Multi-cluster considerations**: When deploying across multiple Kubernetes clusters with identical namespace names, additional prefixing may be required to avoid Vault path conflicts. +{{}} + +## Configure the operator + +### Step 1: Configure Vault policies and roles + +#### Create Vault policy + +Create a policy that grants the Redis Enterprise operator read access to secrets: + +```bash +vault policy write -namespace= redisenterprise- - </*" { + capabilities = ["create", "read", "update", "delete", "list"] +} +path "secret/metadata/redisenterprise-/*" { + capabilities = ["list"] +} +EOF +``` + +**Parameter explanation:** +- ``: Your Vault Enterprise namespace (omit for Community Edition) +- ``: Kubernetes namespace where Redis Enterprise operator is deployed + +#### Create Vault role + +Configure a Vault role that binds the operator's service account to the policy: + +```bash +vault write -namespace= auth//role/redis-enterprise-operator- \ + bound_service_account_names="redis-enterprise-operator" \ + bound_service_account_namespaces= \ + policies=redisenterprise- +``` + +**Parameter explanation:** +- ``: Kubernetes auth method path in Vault (default: `kubernetes`) +- Role name includes namespace for multi-tenant isolation + +### Step 2: Configure operator environment + +Create a ConfigMap with Vault configuration for the Redis Enterprise operator: + +```yaml +# operator-environment-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: operator-environment-config + namespace: +data: + CREDENTIAL_TYPE: "vault" + VAULT_SERVER_FQDN: "" + VAULT_SERVICE_PORT_HTTPS: "8200" + VAULT_SECRET_ROOT: "secret" + VAULT_SECRET_PREFIX: "redisenterprise-" + VAULT_ROLE: "redis-enterprise-operator-" + VAULT_AUTH_PATH: "" + VAULT_NAMESPACE: "" + VAULT_CACHE_SECRET_EXPIRATION_SECONDS: "120" +``` + +Apply the configuration: + +```bash +kubectl apply -f operator-environment-config.yaml +``` + +#### Configuration parameters + +| Parameter | Description | Default | Required | +|-----------|-------------|---------|----------| +| `CREDENTIAL_TYPE` | Must be set to `"vault"` to enable Vault integration | - | Yes | +| `VAULT_SERVER_FQDN` | Vault server hostname (e.g., `vault.vault-ns.svc.cluster.local`) | - | Yes | +| `VAULT_SERVICE_PORT_HTTPS` | Vault HTTPS port | `8200` | Yes | +| `VAULT_SECRET_ROOT` | KV-v2 secret engine mount path | `secret` | Yes | +| `VAULT_SECRET_PREFIX` | Prefix for all Redis Enterprise secrets | `redisenterprise` | Yes | +| `VAULT_ROLE` | Vault role for operator authentication | `redis-enterprise-operator` | Yes | +| `VAULT_AUTH_PATH` | Kubernetes auth method path | `kubernetes` | Yes | +| `VAULT_NAMESPACE` | Vault Enterprise namespace | - | Enterprise only | +| `VAULT_CACHE_SECRET_EXPIRATION_SECONDS` | Secret cache duration | `120` | No | + +{{}} +**Secret path construction**: Secrets are stored at `/data//` +{{}} + +### Step 3: Deploy the operator + +Deploy the Redis Enterprise operator following the [standard installation guide]({{< relref "/operate/kubernetes/deployment" >}}). + +{{}} +The operator pod will not be ready until the admission controller secret is stored in Vault (covered in the next step). +{{}} + +### Step 4: Configure admission controller secret + +Generate and store the admission controller TLS certificate in Vault: + +#### Generate TLS certificate + +```bash +kubectl exec -it $(kubectl get pod -l name=redis-enterprise-operator -o jsonpath='{.items[0].metadata.name}') \ + -c redis-enterprise-operator -- /usr/local/bin/generate-tls -infer | tail -4 > output.json +``` + +#### Store certificate in Vault + +Copy the certificate file to Vault (if Vault is running in Kubernetes): + +```bash +kubectl cp output.json vault-0:/tmp -n vault +``` + +Store the certificate in Vault: + +```bash +vault kv put -namespace= /redisenterprise-/admission-tls @output.json +``` + +{{}} +Once the operator is running with Vault integration, proceed to create Redis Enterprise clusters. Do not create clusters before completing this setup. +{{}} + +### Step 5: Create Vault CA certificate secret + +Create a Kubernetes secret containing the Certificate Authority certificate used by your Vault instance: + +```bash +kubectl create secret generic vault-ca-cert \ + --namespace \ + --from-file=vault.ca= +``` + +{{}} +The Vault server certificate must be signed by the Certificate Authority provided in this secret. +{{}} + +## Create Redis Enterprise clusters + +### Step 1: Generate cluster credentials + +Unlike standard deployments, Vault integration requires manually creating cluster credentials: + +#### Generate strong password + +```bash +# Generate a secure random password +openssl rand -base64 32 +``` + +#### Store credentials in Vault + +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + username= \ + password= +``` + +{{}} +**Important notes:** + +- The username field in the REC spec is ignored when using Vault +- The username from the Vault secret takes precedence +- Use strong, unique passwords for each cluster +{{}} + +### Step 2: Create cluster service account role + +Configure a Vault role for the Redis Enterprise cluster's service account: + +```bash +vault write -namespace= \ + auth//role/redis-enterprise-rec- \ + bound_service_account_names= \ + bound_service_account_namespaces= \ + policies=redisenterprise- +``` + +### Step 3: Deploy Redis Enterprise cluster + +Create the RedisEnterpriseCluster resource with Vault configuration: + +```yaml +apiVersion: app.redislabs.com/v1 +kind: RedisEnterpriseCluster +metadata: + name: rec + namespace: + labels: + app: redis-enterprise +spec: + nodes: 3 + clusterCredentialSecretName: rec + clusterCredentialSecretType: vault + clusterCredentialSecretRole: redis-enterprise-rec- + vaultCASecret: vault-ca-cert + podAnnotations: + vault.hashicorp.com/auth-path: auth/ + vault.hashicorp.com/namespace: +``` + +Apply the configuration: + +```bash +kubectl apply -f redis-enterprise-cluster.yaml +``` + +#### Key configuration fields + +| Field | Description | Example | +|-------|-------------|---------| +| `clusterCredentialSecretName` | Name of the secret in Vault containing cluster credentials | `rec` | +| `clusterCredentialSecretType` | Must be set to `vault` | `vault` | +| `clusterCredentialSecretRole` | Vault role for cluster authentication | `redis-enterprise-rec-` | +| `vaultCASecret` | Kubernetes secret containing Vault's CA certificate | `vault-ca-cert` | +| `podAnnotations` | Vault agent annotations for pod-level configuration | See example above | + +## Manage database secrets + +### Redis Enterprise database secrets + +Redis Enterprise databases support various types of secrets stored in Vault: + +#### Database password + +Store database passwords in Vault using the database name as the secret key: + +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + password= +``` + +#### Backup storage credentials + +Configure backup storage credentials for different providers: + +AWS S3: +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + AWS_ACCESS_KEY_ID= \ + AWS_SECRET_ACCESS_KEY= +``` + +Azure Blob Storage: +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + AZURE_ACCOUNT_NAME= \ + AZURE_ACCOUNT_KEY= +``` + +Google Cloud Storage: +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + GOOGLE_APPLICATION_CREDENTIALS= +``` + +#### TLS certificates + +Store TLS certificates for secure database connections: + +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + tls.crt= \ + tls.key= +``` + +### Redis Enterprise cluster secrets + +The following secrets can be stored in Vault for cluster configuration: + +#### Required secrets + +- **Cluster credentials**: `clusterCredentialSecretName` - Admin username/password +- **License**: `licenseSecretName` - Redis Enterprise license key + +#### Optional certificates + +- **API certificate**: `apiCertificateSecretName` - REST API TLS certificate +- **Cluster manager certificate**: `cmCertificateSecretName` - Internal cluster communication +- **Metrics exporter certificate**: `metricsExporterCertificateSecretName` - Prometheus metrics +- **Proxy certificate**: `proxyCertificateSecretName` - Database proxy TLS +- **Syncer certificate**: `syncerCertificateSecretName` - Cross-cluster replication +- **LDAP client certificate**: `ldapClientCertificateSecretName` - LDAP authentication + +{{}} +Complete field documentation is available in the [RedisEnterpriseCluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}). +{{}} + + + +### Example REC configuration with all certificates + +```yaml +apiVersion: app.redislabs.com/v1 +kind: RedisEnterpriseCluster +metadata: + name: rec + labels: + app: redis-enterprise +spec: + nodes: 3 + licenseSecretName: + clusterCredentialSecretName: + certificates: + apiCertificateSecretName: + cmCertificateSecretName: + metricsExporterCertificateSecretName: + proxyCertificateSecretName: + syncerCertificateSecretName: + ldapClientCertificateSecretName: + # Vault configuration + clusterCredentialSecretType: vault + clusterCredentialSecretRole: redis-enterprise-rec- + vaultCASecret: vault-ca-cert + podAnnotations: + vault.hashicorp.com/auth-path: auth/ + vault.hashicorp.com/namespace: +``` + +You can also update certificates using `kubectl patch`: + +```bash +kubectl patch rec rec --type merge --patch '{"spec": {"certificates": {"apiCertificateSecretName": ""}}}' +``` + +### Create Redis Enterprise databases + +To create a Redis Enterprise database (REDB) with Vault integration: + +1. **Create database password in Vault**: + + ```bash + vault kv put -namespace= \ + /redisenterprise-/redb- \ + password= + ``` + +2. **Create the REDB custom resource**: + + Follow the standard [database creation process]({{< relref "/operate/kubernetes/re-databases" >}}). The REC configuration automatically enables Vault integration for all databases. + +3. **Configure additional secrets** (optional): + + Store additional REDB secrets in the path `redisenterprise-/`. Secrets must comply with the [REDB secrets schema]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). + +{{}} +When using the Redis Enterprise Vault plugin, set `defaultUser: false` and associate users through ACL bindings to the REDB. +{{}} + +### Additional database secret types + +Redis Enterprise databases support several types of secrets that can be stored in Vault: + +1. **Database password** - Required for database access +2. **Replica source credentials** (optional) - For cross-cluster replication: + - `clientKeySecret` - Client TLS key + - `serverCertSecret` - Server certificate +3. **Backup credentials** (optional) - For database backups: + - **S3 storage**: `awsSecretName` + - **SFTP storage**: `sftpSecretName` + - **Swift storage**: `swiftSecretName` + - **Azure Blob storage**: `absSecretName` + - **Google Cloud storage**: `gcsSecretName` +4. **Client authentication certificates** (optional) - TLS client certificates for authentication + +For complete field documentation, see the [Redis Enterprise database API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). + +### Redis Enterprise Remote Cluster secrets + +The `secretName` field is supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source. + +### Redis Enterprise Active-Active database secrets + +REAADB resources include REDB specifications in the `globalConfigurations` field. All secret names specified in these configurations are supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source. + +## Troubleshooting + +### Common Issues and Solutions + +#### Operator pod not ready + +**Symptoms**: Operator pod remains in `Pending` or `CrashLoopBackOff` state + +**Causes and solutions**: + +1. **Missing admission controller secret** + + ```bash + # Check if admission-tls secret exists in Vault + vault kv get -namespace= /redisenterprise-/admission-tls + ``` + +2. **Vault CA certificate issues** + + ```bash + # Verify vault-ca-cert secret exists + kubectl get secret vault-ca-cert -n + + # Check certificate content + kubectl get secret vault-ca-cert -n -o jsonpath='{.data.vault\.ca}' | base64 -d + ``` + +3. **Network connectivity** + + ```bash + # Test Vault connectivity from operator pod + kubectl exec -it -c redis-enterprise-operator -- \ + curl -k https://:8200/v1/sys/health + ``` + +#### Authentication failures + +**Symptoms**: `Failed to authenticate with Vault` errors in operator logs + +**Solutions**: + +1. **Verify Vault role configuration** + + ```bash + vault read -namespace= auth//role/redis-enterprise-operator- + ``` + +2. **Check service account token** + + ```bash + # Verify service account exists + kubectl get serviceaccount redis-enterprise-operator -n + + # Check token mount + kubectl describe pod -n | grep -A5 "Mounts:" + ``` + +#### Secret retrieval failures + +**Symptoms**: `Failed to read Vault secret` errors + +**Solutions**: + +1. **Verify secret exists** + + ```bash + vault kv get -namespace= /redisenterprise-/ + ``` + +2. **Check policy permissions** + + ```bash + vault policy read -namespace= redisenterprise- + ``` + +3. **Validate secret format** + + ```bash + # Cluster credentials must have 'username' and 'password' keys + vault kv get -format=json -namespace= /redisenterprise-/ + ``` + +### Debugging commands + +#### Check operator logs + +```bash +kubectl logs -f deployment/redis-enterprise-operator -n -c redis-enterprise-operator +``` + +#### Verify Vault configuration + +```bash +kubectl get configmap operator-environment-config -n -o yaml +``` + +#### Test Vault authentication + +```bash +# From within operator pod +kubectl exec -it -n -c redis-enterprise-operator -- \ + cat /var/run/secrets/kubernetes.io/serviceaccount/token +``` + +## Security best practices + +### Vault configuration + +1. **Enable audit logging** + + ```bash + vault audit enable file file_path=/vault/logs/audit.log + ``` + +2. **Use least privilege policies** + - Grant only necessary permissions to Redis Enterprise policies + - Regularly review and update access policies + - Use separate policies for different environments + +3. **Implement secret rotation** + - Configure automatic rotation for database passwords + - Use Vault's dynamic secrets when possible + - Monitor secret access patterns + +4. **Secure network communication** + - Always use TLS for Vault communication + - Implement network policies to restrict access + - Use private networks when possible + +### Kubernetes security + +1. **Service account management** + - Use dedicated service accounts for each Redis Enterprise deployment + - Implement RBAC with minimal required permissions + - Regularly audit service account usage + +2. **Secret management** + - Never store secrets in container images or configuration files + - Use Kubernetes secrets only for Vault CA certificates + - Implement secret scanning in CI/CD pipelines + +3. **Network policies** + + ```yaml + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: redis-enterprise-vault-access + spec: + podSelector: + matchLabels: + app: redis-enterprise-operator + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + name: vault + ports: + - protocol: TCP + port: 8200 + ``` + +### Monitoring and alerting + +1. **Monitor Vault access** + - Set up alerts for failed authentication attempts + - Monitor secret access patterns + - Track token usage and expiration + +2. **Redis Enterprise monitoring** + - Monitor operator pod health and logs + - Set up alerts for secret retrieval failures + - Track cluster and database creation events + +3. **Security scanning** + - Regularly scan container images for vulnerabilities + - Implement runtime security monitoring + - Audit Vault policies and access patterns + +### Compliance considerations + +1. **Data encryption** + - Ensure data is encrypted in transit and at rest + - Use strong encryption algorithms + - Regularly rotate encryption keys + +2. **Access control** + - Implement multi-factor authentication for Vault access + - Use role-based access control (RBAC) + - Maintain audit trails for all access + +3. **Backup and recovery** + - Regularly backup Vault data + - Test disaster recovery procedures + - Implement cross-region replication for high availability From e714ca564ab203a370c8d7e22e068abcbcb6bdfc Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael Date: Fri, 26 Sep 2025 13:37:28 -0500 Subject: [PATCH 2/6] remove arch diagram --- content/operate/kubernetes/security/vault.md | 28 +------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md index 88890103a3..314a086e96 100644 --- a/content/operate/kubernetes/security/vault.md +++ b/content/operate/kubernetes/security/vault.md @@ -91,33 +91,7 @@ Configure Vault token policies with minimum TTL of 1 hour: - Ensures stable operation during maintenance windows - See [Vault token management](https://developer.hashicorp.com/vault/tutorials/tokens/token-management) -## Architecture overview - -Understanding the integration architecture helps ensure proper configuration and troubleshooting. - -### Components and data flow - -``` -┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐ -│ Kubernetes │ │ HashiCorp Vault │ │ Redis Enterprise│ -│ Cluster │ │ │ │ Cluster │ -│ │ │ │ │ │ -│ ┌─────────────┐ │ │ ┌──────────────┐ │ │ ┌─────────────┐ │ -│ │ Redis │◄┼────┼►│ KV-v2 Store │ │ │ │ Database │ │ -│ │ Enterprise │ │ │ │ │ │ │ │ Instances │ │ -│ │ Operator │ │ │ │ - Credentials│ │ │ │ │ │ -│ └─────────────┘ │ │ │ - Certificates│ │ │ └─────────────┘ │ -│ │ │ │ - Licenses │ │ │ │ -│ ┌─────────────┐ │ │ └──────────────┘ │ │ │ -│ │ Vault │ │ │ │ │ │ -│ │ Agent │ │ │ ┌──────────────┐ │ │ │ -│ │ Injector │ │ │ │ Kubernetes │ │ │ │ -│ └─────────────┘ │ │ │ Auth Method │ │ │ │ -└─────────────────┘ │ └──────────────┘ │ └─────────────────┘ - └──────────────────┘ -``` - -### Authentication flow +## Authentication flow 1. **Service Account Authentication**: Redis Enterprise operator uses its Kubernetes service account token 2. **Vault Authentication**: Operator authenticates with Vault using Kubernetes auth method From 8048eb8c5c0818aee6c20aa36142beb92186aea4 Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael Date: Wed, 8 Oct 2025 14:05:16 -0700 Subject: [PATCH 3/6] copy edits --- content/operate/kubernetes/security/vault.md | 146 +++++++++---------- 1 file changed, 65 insertions(+), 81 deletions(-) diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md index 314a086e96..e181c9d43f 100644 --- a/content/operate/kubernetes/security/vault.md +++ b/content/operate/kubernetes/security/vault.md @@ -30,33 +30,21 @@ When Vault integration is enabled, all secrets referenced in Redis Enterprise cu For complete details on supported secrets, see the [RedisEnterpriseCluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) and [RedisEnterpriseDatabase API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). -### Key benefits - -- Centralized secret management - Single source of truth for all secrets -- Enhanced security - Vault's encryption, access controls, and audit logging -- Secret rotation - Automated credential rotation capabilities -- Compliance - Meet regulatory requirements with comprehensive audit trails -- Multi-environment support - Consistent secret management across dev/staging/prod - {{}} When using OpenShift, replace `kubectl` commands with `oc` throughout this guide. {{}} + ## Prerequisites Before integrating Redis Enterprise operator with HashiCorp Vault, ensure you have the following components properly configured: ### HashiCorp Vault Requirements -- Vault Instance: Deploy HashiCorp Vault with network connectivity from your Kubernetes cluster - - Tested Version: HashiCorp Vault v1.15.2 (other versions may work but are not officially tested) - - TLS Required: Vault must be configured with TLS encryption - - High Availability: Recommended for production environments +- Vault instance: HashiCorp Vault v1.15.2+ with TLS and network connectivity to your Kubernetes cluster -- Authentication Method: Configure Kubernetes authentication method in Vault - - Enables Kubernetes service accounts to authenticate with Vault - - See [HashiCorp's Kubernetes Auth documentation](https://developer.hashicorp.com/vault/docs/auth/kubernetes) +- Authentication method: Configure Kubernetes authentication method in Vault (see [HashiCorp's Kubernetes Auth documentation](https://developer.hashicorp.com/vault/docs/auth/kubernetes)) -- Secret Engine: Enable and configure KV version 2 secret engine +- Secret engine: Enable and configure KV version 2 secret engine - Default mount path: `secret/` (configurable) - Used to store all Redis Enterprise secrets - Supports versioning and metadata @@ -67,22 +55,18 @@ Before integrating Redis Enterprise operator with HashiCorp Vault, ensure you ha - Enables automatic secret injection into pods - See [Vault Agent Injector tutorial](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar) -- Network Access: Ensure Kubernetes cluster can reach Vault +- Network access: Ensure Kubernetes cluster can reach Vault - Configure appropriate network policies and firewall rules - Vault typically runs on port 8200 (HTTPS) -- Service Accounts: Proper RBAC configuration for operator service accounts +- Service accounts: Proper RBAC configuration for operator service accounts -### Vault Enterprise considerations +### Vault editions -This guide assumes HashiCorp Vault Enterprise with namespace support: -- **Vault namespaces**: Logical isolation within Vault (not Kubernetes namespaces) -- **Multi-tenancy**: Separate Redis Enterprise deployments by Vault namespace -- **Advanced features**: Audit logging, performance replication, disaster recovery +This guide supports both Vault Community and Enterprise editions: -{{}} -For Vault Community Edition, omit all `VAULT_NAMESPACE` parameters and `-namespace` flags from commands. -{{}} +- Vault Community: Use all commands without `-namespace` flags or `VAULT_NAMESPACE` parameters +- Vault Enterprise: Supports namespaces for logical isolation and multi-tenancy (separate from Kubernetes namespaces) ### Minimum token TTL @@ -93,12 +77,12 @@ Configure Vault token policies with minimum TTL of 1 hour: ## Authentication flow -1. **Service Account Authentication**: Redis Enterprise operator uses its Kubernetes service account token -2. **Vault Authentication**: Operator authenticates with Vault using Kubernetes auth method -3. **Token Acquisition**: Vault issues a time-limited token with appropriate policies -4. **Secret Retrieval**: Operator fetches secrets from Vault KV store using the token -5. **Caching**: Secrets are cached locally with configurable expiration times -6. **Token Renewal**: Tokens are automatically renewed before expiration +1. Service Account Authentication: Redis Enterprise operator uses its Kubernetes service account token +2. Vault Authentication: Operator authenticates with Vault using Kubernetes auth method +3. Token Acquisition: Vault issues a time-limited token with appropriate policies +4. Secret Retrieval: Operator fetches secrets from Vault KV store using the token +5. Caching: Secrets are cached locally with configurable expiration times +6. Token Renewal: Tokens are automatically renewed before expiration ### Secret path structure @@ -107,7 +91,7 @@ Vault secrets follow a hierarchical path structure: // ``` -**Default Example**: +Default example: ``` secret/data/redisenterprise-redis-ns/my-cluster secret/data/redisenterprise-redis-ns/my-database-password @@ -120,13 +104,13 @@ secret/data/redisenterprise-redis-ns/tls-certificates This guide covers the most common deployment scenario with the following assumptions: -- **Vault Enterprise** with namespace support (adapt for Community Edition by removing namespace parameters) -- **Multiple Redis Enterprise clusters** in the same Kubernetes cluster -- **Namespace isolation** using Kubernetes namespace suffixes for Vault configurations -- **Production security** with proper RBAC and network policies +- Vault Enterprise with namespace support (adapt for Community Edition by removing namespace parameters) +- Multiple Redis Enterprise clusters in the same Kubernetes cluster +- Namespace isolation using Kubernetes namespace suffixes for Vault configurations +- Production security with proper RBAC and network policies {{}} -**Multi-cluster considerations**: When deploying across multiple Kubernetes clusters with identical namespace names, additional prefixing may be required to avoid Vault path conflicts. +Multi-cluster considerations: When deploying across multiple Kubernetes clusters with identical namespace names, additional prefixing may be required to avoid Vault path conflicts. {{}} ## Configure the operator @@ -148,7 +132,7 @@ path "secret/metadata/redisenterprise-/*" { EOF ``` -**Parameter explanation:** +Parameter explanation: - ``: Your Vault Enterprise namespace (omit for Community Edition) - ``: Kubernetes namespace where Redis Enterprise operator is deployed @@ -163,7 +147,7 @@ vault write -namespace= auth//role/redis-enterprise- policies=redisenterprise- ``` -**Parameter explanation:** +Parameter explanation: - ``: Kubernetes auth method path in Vault (default: `kubernetes`) - Role name includes namespace for multi-tenant isolation @@ -211,7 +195,7 @@ kubectl apply -f operator-environment-config.yaml | `VAULT_CACHE_SECRET_EXPIRATION_SECONDS` | Secret cache duration | `120` | No | {{}} -**Secret path construction**: Secrets are stored at `/data//` +Secret path construction: Secrets are stored at `/data//` {{}} ### Step 3: Deploy the operator @@ -288,7 +272,7 @@ vault kv put -namespace= \ ``` {{}} -**Important notes:** +Important notes: - The username field in the REC spec is ignored when using Vault - The username from the Vault secret takes precedence @@ -463,7 +447,7 @@ kubectl patch rec rec --type merge --patch '{"spec": {"certificates": {"apiCerti To create a Redis Enterprise database (REDB) with Vault integration: -1. **Create database password in Vault**: +1. Create database password in Vault: ```bash vault kv put -namespace= \ @@ -471,11 +455,11 @@ To create a Redis Enterprise database (REDB) with Vault integration: password= ``` -2. **Create the REDB custom resource**: +2. Create the REDB custom resource: Follow the standard [database creation process]({{< relref "/operate/kubernetes/re-databases" >}}). The REC configuration automatically enables Vault integration for all databases. -3. **Configure additional secrets** (optional): +3. Configure additional secrets (optional): Store additional REDB secrets in the path `redisenterprise-/`. Secrets must comply with the [REDB secrets schema]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). @@ -487,17 +471,17 @@ When using the Redis Enterprise Vault plugin, set `defaultUser: false` and assoc Redis Enterprise databases support several types of secrets that can be stored in Vault: -1. **Database password** - Required for database access -2. **Replica source credentials** (optional) - For cross-cluster replication: +1. Database password - Required for database access +2. Replica source credentials (optional) - For cross-cluster replication: - `clientKeySecret` - Client TLS key - `serverCertSecret` - Server certificate -3. **Backup credentials** (optional) - For database backups: - - **S3 storage**: `awsSecretName` - - **SFTP storage**: `sftpSecretName` - - **Swift storage**: `swiftSecretName` - - **Azure Blob storage**: `absSecretName` - - **Google Cloud storage**: `gcsSecretName` -4. **Client authentication certificates** (optional) - TLS client certificates for authentication +3. Backup credentials (optional) - For database backups: + - S3 storage: `awsSecretName` + - SFTP storage: `sftpSecretName` + - Swift storage: `swiftSecretName` + - Azure Blob storage: `absSecretName` + - Google Cloud storage: `gcsSecretName` +4. Client authentication certificates (optional) - TLS client certificates for authentication For complete field documentation, see the [Redis Enterprise database API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). @@ -515,18 +499,18 @@ REAADB resources include REDB specifications in the `globalConfigurations` field #### Operator pod not ready -**Symptoms**: Operator pod remains in `Pending` or `CrashLoopBackOff` state +Symptoms: Operator pod remains in `Pending` or `CrashLoopBackOff` state -**Causes and solutions**: +Causes and solutions: -1. **Missing admission controller secret** +1. Missing admission controller secret ```bash # Check if admission-tls secret exists in Vault vault kv get -namespace= /redisenterprise-/admission-tls ``` -2. **Vault CA certificate issues** +2. Vault CA certificate issues ```bash # Verify vault-ca-cert secret exists @@ -536,7 +520,7 @@ REAADB resources include REDB specifications in the `globalConfigurations` field kubectl get secret vault-ca-cert -n -o jsonpath='{.data.vault\.ca}' | base64 -d ``` -3. **Network connectivity** +3. Network connectivity ```bash # Test Vault connectivity from operator pod @@ -546,17 +530,17 @@ REAADB resources include REDB specifications in the `globalConfigurations` field #### Authentication failures -**Symptoms**: `Failed to authenticate with Vault` errors in operator logs +Symptoms: `Failed to authenticate with Vault` errors in operator logs -**Solutions**: +Solutions: -1. **Verify Vault role configuration** +1. Verify Vault role configuration ```bash vault read -namespace= auth//role/redis-enterprise-operator- ``` -2. **Check service account token** +2. Check service account token ```bash # Verify service account exists @@ -568,23 +552,23 @@ REAADB resources include REDB specifications in the `globalConfigurations` field #### Secret retrieval failures -**Symptoms**: `Failed to read Vault secret` errors +Symptoms: `Failed to read Vault secret` errors -**Solutions**: +Solutions: -1. **Verify secret exists** +1. Verify secret exists ```bash vault kv get -namespace= /redisenterprise-/ ``` -2. **Check policy permissions** +2. Check policy permissions ```bash vault policy read -namespace= redisenterprise- ``` -3. **Validate secret format** +3. Validate secret format ```bash # Cluster credentials must have 'username' and 'password' keys @@ -617,40 +601,40 @@ kubectl exec -it -n -c redis-enterprise-operator ### Vault configuration -1. **Enable audit logging** +1. Enable audit logging ```bash vault audit enable file file_path=/vault/logs/audit.log ``` -2. **Use least privilege policies** +2. Use least privilege policies - Grant only necessary permissions to Redis Enterprise policies - Regularly review and update access policies - Use separate policies for different environments -3. **Implement secret rotation** +3. Implement secret rotation - Configure automatic rotation for database passwords - Use Vault's dynamic secrets when possible - Monitor secret access patterns -4. **Secure network communication** +4. Secure network communication - Always use TLS for Vault communication - Implement network policies to restrict access - Use private networks when possible ### Kubernetes security -1. **Service account management** +1. Service account management - Use dedicated service accounts for each Redis Enterprise deployment - Implement RBAC with minimal required permissions - Regularly audit service account usage -2. **Secret management** +2. Secret management - Never store secrets in container images or configuration files - Use Kubernetes secrets only for Vault CA certificates - Implement secret scanning in CI/CD pipelines -3. **Network policies** +3. Network policies ```yaml apiVersion: networking.k8s.io/v1 @@ -675,34 +659,34 @@ kubectl exec -it -n -c redis-enterprise-operator ### Monitoring and alerting -1. **Monitor Vault access** +1. Monitor Vault access - Set up alerts for failed authentication attempts - Monitor secret access patterns - Track token usage and expiration -2. **Redis Enterprise monitoring** +2. Redis Enterprise monitoring - Monitor operator pod health and logs - Set up alerts for secret retrieval failures - Track cluster and database creation events -3. **Security scanning** +3. Security scanning - Regularly scan container images for vulnerabilities - Implement runtime security monitoring - Audit Vault policies and access patterns ### Compliance considerations -1. **Data encryption** +1. Data encryption - Ensure data is encrypted in transit and at rest - Use strong encryption algorithms - Regularly rotate encryption keys -2. **Access control** +2. Access control - Implement multi-factor authentication for Vault access - Use role-based access control (RBAC) - Maintain audit trails for all access -3. **Backup and recovery** +3. Backup and recovery - Regularly backup Vault data - Test disaster recovery procedures - Implement cross-region replication for high availability From 3e8c9d2911662defbded090691ef70777297fbfe Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael Date: Wed, 15 Oct 2025 09:55:14 -0500 Subject: [PATCH 4/6] page structure edits --- content/operate/kubernetes/security/vault.md | 696 +++++++------------ 1 file changed, 269 insertions(+), 427 deletions(-) diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md index e181c9d43f..b6681f8658 100644 --- a/content/operate/kubernetes/security/vault.md +++ b/content/operate/kubernetes/security/vault.md @@ -1,5 +1,5 @@ --- -Title: Integrate Redis Enterprise operator with HashiCorp Vault +Title: Integrate HashiCorp Vault with Redis Enterprise for Kubernetes alwaysopen: false categories: - docs @@ -10,25 +10,56 @@ linkTitle: HashiCorp Vault integration weight: 97 --- -# Integrate Redis Enterprise operator with HashiCorp Vault - -## Overview - HashiCorp Vault can be configured as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging. -### What secrets are managed by Vault? +## What secrets are managed by Vault? When Vault integration is enabled, all secrets referenced in Redis Enterprise custom resources are retrieved from Vault instead of Kubernetes secrets, including: -- Cluster credentials - Admin username/password for Redis Enterprise clusters -- Database credentials - Passwords for Redis databases -- TLS certificates - API, cluster management, proxy, syncer, and LDAP client certificates -- License keys - Redis Enterprise license information -- Backup credentials - Access keys for S3, Azure Blob, GCS, Swift, and SFTP storage -- LDAP credentials - Authentication details for LDAP servers -- Replica source credentials - TLS certificates for cross-cluster replication +### Cluster secrets + +- [**Cluster credentials**]({{< relref "/operate/kubernetes/deployment/quick-start" >}}) ([`clusterCredentialSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) +- [**License**]({{< relref "/operate/kubernetes/deployment/quick-start#install-the-license" >}}) ([`licenseSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) +- [**API certificate**]({{< relref "/operate/kubernetes/security/tls" >}}) ([`apiCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) +- [**Cluster manager certificate**]({{< relref "/operate/kubernetes/security/tls" >}}) ([`cmCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) +- [**Metrics exporter certificate**]({{< relref "/operate/kubernetes/observability/prometheus-metrics-exporter" >}}) ([`metricsExporterCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) +- [**Proxy certificate**]({{< relref "/operate/kubernetes/security/tls" >}}) ([`proxyCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) +- [**Syncer certificate**]({{< relref "/operate/kubernetes/active-active" >}}) ([`syncerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) +- [**LDAP client certificate**]({{< relref "/operate/kubernetes/security/ldap" >}})([`ldapClientCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}})) + +### Database secrets + +- [**Database passwords**]({{< relref "/operate/kubernetes/re-databases" >}}) - Passwords for Redis databases +- [**Replica source credentials**]({{< relref "/operate/kubernetes/active-active" >}}) - For cross-cluster replication: + - Client TLS key ([`clientKeySecret`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}})) + - Server certificate ([`serverCertSecret`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}})) +- [**Backup credentials**]({{< relref "/operate/kubernetes/re-databases/db-backup" >}}) - For database backups: + - S3 storage ([`awsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}})) + - SFTP storage ([`sftpSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}})) + - Swift storage ([`swiftSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}})) + - Azure Blob storage ([`absSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}})) + - Google Cloud storage ([`gcsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}})) +- [**Client authentication certificates**]({{< relref "/operate/kubernetes/security/tls" >}}) - TLS client certificates for authentication + +### Other secrets +- [**Remote cluster secrets**]({{< relref "/operate/kubernetes/remote-clusters" >}}) ([`secretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_remote_cluster_api#redisenterpriseremoteclusterspec" >}})) - For Redis Enterprise Remote Cluster (RERC) configurations +- [**Active-Active database secrets**]({{< relref "/operate/kubernetes/active-active" >}}) - All secret names specified in REAADB [`globalConfigurations`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api#redisenterpriseactiveactivedatabasespec" >}}) + +For complete details on supported secrets, see the [`RedisEnterpriseCluster` API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) and [`RedisEnterpriseDatabase` API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). + +### Secret path structure + +Vault secrets follow a hierarchical path structure: +``` +// +``` -For complete details on supported secrets, see the [RedisEnterpriseCluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) and [RedisEnterpriseDatabase API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). +Default example: +``` +secret/data/redisenterprise-redis-ns/my-cluster +secret/data/redisenterprise-redis-ns/my-database-password +secret/data/redisenterprise-redis-ns/tls-certificates +``` {{}} When using OpenShift, replace `kubectl` commands with `oc` throughout this guide. @@ -38,68 +69,39 @@ When using OpenShift, replace `kubectl` commands with `oc` throughout this guide Before integrating Redis Enterprise operator with HashiCorp Vault, ensure you have the following components properly configured: -### HashiCorp Vault Requirements +**HashiCorp Vault Requirements:** - Vault instance: HashiCorp Vault v1.15.2+ with TLS and network connectivity to your Kubernetes cluster - - Authentication method: Configure Kubernetes authentication method in Vault (see [HashiCorp's Kubernetes Auth documentation](https://developer.hashicorp.com/vault/docs/auth/kubernetes)) - - Secret engine: Enable and configure KV version 2 secret engine - Default mount path: `secret/` (configurable) - Used to store all Redis Enterprise secrets - Supports versioning and metadata -### Kubernetes Requirements +**Kubernetes Requirements:** - Vault Agent Injector: Deploy the HashiCorp Vault Agent Injector - Enables automatic secret injection into pods - See [Vault Agent Injector tutorial](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar) - - Network access: Ensure Kubernetes cluster can reach Vault - Configure appropriate network policies and firewall rules - Vault typically runs on port 8200 (HTTPS) - - Service accounts: Proper RBAC configuration for operator service accounts -### Vault editions +**Vault editions:** This guide supports both Vault Community and Enterprise editions: - Vault Community: Use all commands without `-namespace` flags or `VAULT_NAMESPACE` parameters - Vault Enterprise: Supports namespaces for logical isolation and multi-tenancy (separate from Kubernetes namespaces) -### Minimum token TTL +**Minimum token TTL:** Configure Vault token policies with minimum TTL of 1 hour: - Prevents frequent token renewal overhead - Ensures stable operation during maintenance windows - See [Vault token management](https://developer.hashicorp.com/vault/tutorials/tokens/token-management) -## Authentication flow - -1. Service Account Authentication: Redis Enterprise operator uses its Kubernetes service account token -2. Vault Authentication: Operator authenticates with Vault using Kubernetes auth method -3. Token Acquisition: Vault issues a time-limited token with appropriate policies -4. Secret Retrieval: Operator fetches secrets from Vault KV store using the token -5. Caching: Secrets are cached locally with configurable expiration times -6. Token Renewal: Tokens are automatically renewed before expiration - -### Secret path structure - -Vault secrets follow a hierarchical path structure: -``` -// -``` - -Default example: -``` -secret/data/redisenterprise-redis-ns/my-cluster -secret/data/redisenterprise-redis-ns/my-database-password -secret/data/redisenterprise-redis-ns/tls-certificates -``` - -## Installation and setup - ### Deployment scenarios This guide covers the most common deployment scenario with the following assumptions: @@ -115,300 +117,264 @@ Multi-cluster considerations: When deploying across multiple Kubernetes clusters ## Configure the operator -### Step 1: Configure Vault policies and roles +1. **Configure Vault policies and roles** -#### Create Vault policy + Create a policy that grants the Redis Enterprise operator read access to secrets: -Create a policy that grants the Redis Enterprise operator read access to secrets: - -```bash -vault policy write -namespace= redisenterprise- - </*" { - capabilities = ["create", "read", "update", "delete", "list"] -} -path "secret/metadata/redisenterprise-/*" { - capabilities = ["list"] -} -EOF -``` + ```bash + vault policy write -namespace= redisenterprise- - </*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "secret/metadata/redisenterprise-/*" { + capabilities = ["list"] + } + EOF + ``` -Parameter explanation: -- ``: Your Vault Enterprise namespace (omit for Community Edition) -- ``: Kubernetes namespace where Redis Enterprise operator is deployed + Parameter explanation: + - ``: Your Vault Enterprise namespace (omit for Community Edition) + - ``: Kubernetes namespace where Redis Enterprise operator is deployed -#### Create Vault role + Configure a Vault role that binds the operator's service account to the policy: -Configure a Vault role that binds the operator's service account to the policy: + ```bash + vault write -namespace= auth//role/redis-enterprise-operator- \ + bound_service_account_names="redis-enterprise-operator" \ + bound_service_account_namespaces= \ + policies=redisenterprise- + ``` -```bash -vault write -namespace= auth//role/redis-enterprise-operator- \ - bound_service_account_names="redis-enterprise-operator" \ - bound_service_account_namespaces= \ - policies=redisenterprise- -``` + Parameter explanation: + - ``: Kubernetes auth method path in Vault (default: `kubernetes`) + - Role name includes namespace for multi-tenant isolation -Parameter explanation: -- ``: Kubernetes auth method path in Vault (default: `kubernetes`) -- Role name includes namespace for multi-tenant isolation +2. **Configure operator environment** -### Step 2: Configure operator environment + Create a ConfigMap with Vault configuration for the Redis Enterprise operator: -Create a ConfigMap with Vault configuration for the Redis Enterprise operator: + ```yaml + # operator-environment-config.yaml + apiVersion: v1 + kind: ConfigMap + metadata: + name: operator-environment-config + namespace: + data: + CREDENTIAL_TYPE: "vault" + VAULT_SERVER_FQDN: "" + VAULT_SERVICE_PORT_HTTPS: "8200" + VAULT_SECRET_ROOT: "secret" + VAULT_SECRET_PREFIX: "redisenterprise-" + VAULT_ROLE: "redis-enterprise-operator-" + VAULT_AUTH_PATH: "" + VAULT_NAMESPACE: "" + VAULT_CACHE_SECRET_EXPIRATION_SECONDS: "120" + ``` -```yaml -# operator-environment-config.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: operator-environment-config - namespace: -data: - CREDENTIAL_TYPE: "vault" - VAULT_SERVER_FQDN: "" - VAULT_SERVICE_PORT_HTTPS: "8200" - VAULT_SECRET_ROOT: "secret" - VAULT_SECRET_PREFIX: "redisenterprise-" - VAULT_ROLE: "redis-enterprise-operator-" - VAULT_AUTH_PATH: "" - VAULT_NAMESPACE: "" - VAULT_CACHE_SECRET_EXPIRATION_SECONDS: "120" -``` + Apply the configuration: -Apply the configuration: + ```bash + kubectl apply -f operator-environment-config.yaml + ``` -```bash -kubectl apply -f operator-environment-config.yaml -``` + **Configuration parameters:** -#### Configuration parameters + | Parameter | Description | Default | Required | + |-----------|-------------|---------|----------| + | `CREDENTIAL_TYPE` | Must be set to `"vault"` to enable Vault integration | - | Yes | + | `VAULT_SERVER_FQDN` | Vault server hostname (e.g., `vault.vault-ns.svc.cluster.local`) | - | Yes | + | `VAULT_SERVICE_PORT_HTTPS` | Vault HTTPS port | `8200` | Yes | + | `VAULT_SECRET_ROOT` | KV-v2 secret engine mount path | `secret` | Yes | + | `VAULT_SECRET_PREFIX` | Prefix for all Redis Enterprise secrets | `redisenterprise` | Yes | + | `VAULT_ROLE` | Vault role for operator authentication | `redis-enterprise-operator` | Yes | + | `VAULT_AUTH_PATH` | Kubernetes auth method path | `kubernetes` | Yes | + | `VAULT_NAMESPACE` | Vault Enterprise namespace | - | Enterprise only | + | `VAULT_CACHE_SECRET_EXPIRATION_SECONDS` | Secret cache duration | `120` | No | -| Parameter | Description | Default | Required | -|-----------|-------------|---------|----------| -| `CREDENTIAL_TYPE` | Must be set to `"vault"` to enable Vault integration | - | Yes | -| `VAULT_SERVER_FQDN` | Vault server hostname (e.g., `vault.vault-ns.svc.cluster.local`) | - | Yes | -| `VAULT_SERVICE_PORT_HTTPS` | Vault HTTPS port | `8200` | Yes | -| `VAULT_SECRET_ROOT` | KV-v2 secret engine mount path | `secret` | Yes | -| `VAULT_SECRET_PREFIX` | Prefix for all Redis Enterprise secrets | `redisenterprise` | Yes | -| `VAULT_ROLE` | Vault role for operator authentication | `redis-enterprise-operator` | Yes | -| `VAULT_AUTH_PATH` | Kubernetes auth method path | `kubernetes` | Yes | -| `VAULT_NAMESPACE` | Vault Enterprise namespace | - | Enterprise only | -| `VAULT_CACHE_SECRET_EXPIRATION_SECONDS` | Secret cache duration | `120` | No | + **Secret path construction:** Secrets are stored at `/data//` -{{}} -Secret path construction: Secrets are stored at `/data//` -{{}} +
-### Step 3: Deploy the operator +3. **Deploy the operator** -Deploy the Redis Enterprise operator following the [standard installation guide]({{< relref "/operate/kubernetes/deployment" >}}). + Deploy the Redis Enterprise operator following the [standard installation guide]({{< relref "/operate/kubernetes/deployment" >}}). -{{}} -The operator pod will not be ready until the admission controller secret is stored in Vault (covered in the next step). -{{}} + {{}} + The operator pod will not be ready until the admission controller secret is stored in Vault (covered in the next step). + {{}} -### Step 4: Configure admission controller secret +
-Generate and store the admission controller TLS certificate in Vault: +4. **Configure admission controller secret** -#### Generate TLS certificate + Generate and store the admission controller TLS certificate in Vault: -```bash -kubectl exec -it $(kubectl get pod -l name=redis-enterprise-operator -o jsonpath='{.items[0].metadata.name}') \ - -c redis-enterprise-operator -- /usr/local/bin/generate-tls -infer | tail -4 > output.json -``` + ```bash + kubectl exec -it $(kubectl get pod -l name=redis-enterprise-operator -o jsonpath='{.items[0].metadata.name}') \ + -c redis-enterprise-operator -- /usr/local/bin/generate-tls -infer | tail -4 > output.json + ``` -#### Store certificate in Vault + Copy the certificate file to Vault (if Vault is running in Kubernetes): -Copy the certificate file to Vault (if Vault is running in Kubernetes): + ```bash + kubectl cp output.json vault-0:/tmp -n vault + ``` -```bash -kubectl cp output.json vault-0:/tmp -n vault -``` + Store the certificate in Vault: -Store the certificate in Vault: + ```bash + vault kv put -namespace= /redisenterprise-/admission-tls @output.json + ``` -```bash -vault kv put -namespace= /redisenterprise-/admission-tls @output.json -``` + {{}} + Once the operator is running with Vault integration, proceed to create Redis Enterprise clusters. Do not create clusters before completing this setup. + {{}} -{{}} -Once the operator is running with Vault integration, proceed to create Redis Enterprise clusters. Do not create clusters before completing this setup. -{{}} +
-### Step 5: Create Vault CA certificate secret +5. **Create Vault CA certificate secret** -Create a Kubernetes secret containing the Certificate Authority certificate used by your Vault instance: + Create a Kubernetes secret containing the Certificate Authority certificate used by your Vault instance: -```bash -kubectl create secret generic vault-ca-cert \ - --namespace \ - --from-file=vault.ca= -``` + ```bash + kubectl create secret generic vault-ca-cert \ + --namespace \ + --from-file=vault.ca= + ``` -{{}} -The Vault server certificate must be signed by the Certificate Authority provided in this secret. -{{}} + {{}} + The Vault server certificate must be signed by the Certificate Authority provided in this secret. + {{}} ## Create Redis Enterprise clusters -### Step 1: Generate cluster credentials - -Unlike standard deployments, Vault integration requires manually creating cluster credentials: - -#### Generate strong password - -```bash -# Generate a secure random password -openssl rand -base64 32 -``` - -#### Store credentials in Vault +1. **Generate cluster credentials** -```bash -vault kv put -namespace= \ - /redisenterprise-/ \ - username= \ - password= -``` + Unlike standard deployments, Vault integration requires manually creating cluster credentials: -{{}} -Important notes: + ```bash + # Generate a secure random password + openssl rand -base64 32 + ``` -- The username field in the REC spec is ignored when using Vault -- The username from the Vault secret takes precedence -- Use strong, unique passwords for each cluster -{{}} + Store credentials in Vault: -### Step 2: Create cluster service account role + ```bash + vault kv put -namespace= \ + /redisenterprise-/ \ + username= \ + password= + ``` -Configure a Vault role for the Redis Enterprise cluster's service account: + {{}} + Important notes: + - The username field in the REC spec is ignored when using Vault + - The username from the Vault secret takes precedence + - Use strong, unique passwords for each cluster + {{}} -```bash -vault write -namespace= \ - auth//role/redis-enterprise-rec- \ - bound_service_account_names= \ - bound_service_account_namespaces= \ - policies=redisenterprise- -``` +
-### Step 3: Deploy Redis Enterprise cluster +2. **Create cluster service account role** -Create the RedisEnterpriseCluster resource with Vault configuration: + Configure a Vault role for the Redis Enterprise cluster's service account: -```yaml -apiVersion: app.redislabs.com/v1 -kind: RedisEnterpriseCluster -metadata: - name: rec - namespace: - labels: - app: redis-enterprise -spec: - nodes: 3 - clusterCredentialSecretName: rec - clusterCredentialSecretType: vault - clusterCredentialSecretRole: redis-enterprise-rec- - vaultCASecret: vault-ca-cert - podAnnotations: - vault.hashicorp.com/auth-path: auth/ - vault.hashicorp.com/namespace: -``` + ```bash + vault write -namespace= \ + auth//role/redis-enterprise-rec- \ + bound_service_account_names= \ + bound_service_account_namespaces= \ + policies=redisenterprise- + ``` -Apply the configuration: +
-```bash -kubectl apply -f redis-enterprise-cluster.yaml -``` +3. **Deploy Redis Enterprise cluster** -#### Key configuration fields + Create the `RedisEnterpriseCluster` resource with Vault configuration: -| Field | Description | Example | -|-------|-------------|---------| -| `clusterCredentialSecretName` | Name of the secret in Vault containing cluster credentials | `rec` | -| `clusterCredentialSecretType` | Must be set to `vault` | `vault` | -| `clusterCredentialSecretRole` | Vault role for cluster authentication | `redis-enterprise-rec-` | -| `vaultCASecret` | Kubernetes secret containing Vault's CA certificate | `vault-ca-cert` | -| `podAnnotations` | Vault agent annotations for pod-level configuration | See example above | + ```yaml + apiVersion: app.redislabs.com/v1 + kind: RedisEnterpriseCluster + metadata: + name: rec + namespace: + labels: + app: redis-enterprise + spec: + nodes: 3 + clusterCredentialSecretName: rec + clusterCredentialSecretType: vault + clusterCredentialSecretRole: redis-enterprise-rec- + vaultCASecret: vault-ca-cert + podAnnotations: + vault.hashicorp.com/auth-path: auth/ + vault.hashicorp.com/namespace: + ``` -## Manage database secrets + Apply the configuration: -### Redis Enterprise database secrets + ```bash + kubectl apply -f redis-enterprise-cluster.yaml + ``` -Redis Enterprise databases support various types of secrets stored in Vault: + **Key configuration fields:** -#### Database password + | Field | Description | Example | + |-------|-------------|---------| + | `clusterCredentialSecretName` | Name of the secret in Vault containing cluster credentials | `rec` | + | `clusterCredentialSecretType` | Must be set to `vault` | `vault` | + | `clusterCredentialSecretRole` | Vault role for cluster authentication | `redis-enterprise-rec-` | + | `vaultCASecret` | Kubernetes secret containing Vault's CA certificate | `vault-ca-cert` | + | `podAnnotations` | Vault agent annotations for pod-level configuration | See example above | -Store database passwords in Vault using the database name as the secret key: -```bash -vault kv put -namespace= \ - /redisenterprise-/ \ - password= -``` -#### Backup storage credentials +## Create Redis Enterprise databases -Configure backup storage credentials for different providers: +To create a Redis Enterprise database (REDB) with Vault integration: -AWS S3: -```bash -vault kv put -namespace= \ - /redisenterprise-/ \ - AWS_ACCESS_KEY_ID= \ - AWS_SECRET_ACCESS_KEY= -``` +1. Create database password in Vault: + ```bash + vault kv put -namespace= \ + /redisenterprise-/redb- \ + password= + ``` -Azure Blob Storage: -```bash -vault kv put -namespace= \ - /redisenterprise-/ \ - AZURE_ACCOUNT_NAME= \ - AZURE_ACCOUNT_KEY= -``` +
-Google Cloud Storage: -```bash -vault kv put -namespace= \ - /redisenterprise-/ \ - GOOGLE_APPLICATION_CREDENTIALS= -``` +2. Create the REDB custom resource: + Follow the standard [database creation process]({{< relref "/operate/kubernetes/re-databases" >}}). The REC configuration automatically enables Vault integration for all databases. -#### TLS certificates +
-Store TLS certificates for secure database connections: +3. Configure additional secrets (optional): + Store additional REDB secrets in the path `redisenterprise-/`. Secrets must comply with the [REDB secrets schema]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). -```bash -vault kv put -namespace= \ - /redisenterprise-/ \ - tls.crt= \ - tls.key= -``` +{{}} +When using the Redis Enterprise Vault plugin, set `defaultUser: false` and associate users through ACL bindings to the REDB. +{{}} -### Redis Enterprise cluster secrets +For complete field documentation, see the [Redis Enterprise database API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). -The following secrets can be stored in Vault for cluster configuration: +### Redis Enterprise Remote Cluster secrets -#### Required secrets +The `secretName` field is supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source. -- **Cluster credentials**: `clusterCredentialSecretName` - Admin username/password -- **License**: `licenseSecretName` - Redis Enterprise license key +### Redis Enterprise Active-Active database secrets -#### Optional certificates +REAADB resources include REDB specifications in the `globalConfigurations` field. All secret names specified in these configurations are supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source. -- **API certificate**: `apiCertificateSecretName` - REST API TLS certificate -- **Cluster manager certificate**: `cmCertificateSecretName` - Internal cluster communication -- **Metrics exporter certificate**: `metricsExporterCertificateSecretName` - Prometheus metrics -- **Proxy certificate**: `proxyCertificateSecretName` - Database proxy TLS -- **Syncer certificate**: `syncerCertificateSecretName` - Cross-cluster replication -- **LDAP client certificate**: `ldapClientCertificateSecretName` - LDAP authentication +## Manage secrets {{}} -Complete field documentation is available in the [RedisEnterpriseCluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}). +Complete field documentation is available in the [`RedisEnterpriseCluster` API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) and [`RedisEnterpriseDatabase` API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). {{}} +### Redis Enterprise cluster secrets - -### Example REC configuration with all certificates +#### Example REC configuration with all certificates ```yaml apiVersion: app.redislabs.com/v1 @@ -443,55 +409,36 @@ You can also update certificates using `kubectl patch`: kubectl patch rec rec --type merge --patch '{"spec": {"certificates": {"apiCertificateSecretName": ""}}}' ``` -### Create Redis Enterprise databases - -To create a Redis Enterprise database (REDB) with Vault integration: - -1. Create database password in Vault: - - ```bash - vault kv put -namespace= \ - /redisenterprise-/redb- \ - password= - ``` - -2. Create the REDB custom resource: - - Follow the standard [database creation process]({{< relref "/operate/kubernetes/re-databases" >}}). The REC configuration automatically enables Vault integration for all databases. - -3. Configure additional secrets (optional): - - Store additional REDB secrets in the path `redisenterprise-/`. Secrets must comply with the [REDB secrets schema]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). - -{{}} -When using the Redis Enterprise Vault plugin, set `defaultUser: false` and associate users through ACL bindings to the REDB. -{{}} - -### Additional database secret types +### Database secrets -Redis Enterprise databases support several types of secrets that can be stored in Vault: - -1. Database password - Required for database access -2. Replica source credentials (optional) - For cross-cluster replication: - - `clientKeySecret` - Client TLS key - - `serverCertSecret` - Server certificate -3. Backup credentials (optional) - For database backups: - - S3 storage: `awsSecretName` - - SFTP storage: `sftpSecretName` - - Swift storage: `swiftSecretName` - - Azure Blob storage: `absSecretName` - - Google Cloud storage: `gcsSecretName` -4. Client authentication certificates (optional) - TLS client certificates for authentication +#### Database passwords +Store database passwords in Vault using the database name as the secret key: -For complete field documentation, see the [Redis Enterprise database API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}). +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + password= +``` -### Redis Enterprise Remote Cluster secrets +#### Backup storage credentials +Store backup storage credentials for Redis Enterprise databases: -The `secretName` field is supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source. +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + AWS_ACCESS_KEY_ID= \ + AWS_SECRET_ACCESS_KEY= +``` -### Redis Enterprise Active-Active database secrets +#### TLS certificates +Store TLS certificates for database connections: -REAADB resources include REDB specifications in the `globalConfigurations` field. All secret names specified in these configurations are supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source. +```bash +vault kv put -namespace= \ + /redisenterprise-/ \ + tls.crt= \ + tls.key= +``` ## Troubleshooting @@ -503,15 +450,13 @@ Symptoms: Operator pod remains in `Pending` or `CrashLoopBackOff` state Causes and solutions: -1. Missing admission controller secret - +1. Missing admission controller secret: ```bash # Check if admission-tls secret exists in Vault vault kv get -namespace= /redisenterprise-/admission-tls ``` -2. Vault CA certificate issues - +2. Vault CA certificate issues: ```bash # Verify vault-ca-cert secret exists kubectl get secret vault-ca-cert -n @@ -520,8 +465,7 @@ Causes and solutions: kubectl get secret vault-ca-cert -n -o jsonpath='{.data.vault\.ca}' | base64 -d ``` -3. Network connectivity - +3. Network connectivity: ```bash # Test Vault connectivity from operator pod kubectl exec -it -c redis-enterprise-operator -- \ @@ -534,14 +478,12 @@ Symptoms: `Failed to authenticate with Vault` errors in operator logs Solutions: -1. Verify Vault role configuration - +1. Verify Vault role configuration: ```bash vault read -namespace= auth//role/redis-enterprise-operator- ``` -2. Check service account token - +2. Check service account token: ```bash # Verify service account exists kubectl get serviceaccount redis-enterprise-operator -n @@ -556,20 +498,17 @@ Symptoms: `Failed to read Vault secret` errors Solutions: -1. Verify secret exists - +1. Verify secret exists: ```bash vault kv get -namespace= /redisenterprise-/ ``` -2. Check policy permissions - +2. Check policy permissions: ```bash vault policy read -namespace= redisenterprise- ``` -3. Validate secret format - +3. Validate secret format: ```bash # Cluster credentials must have 'username' and 'password' keys vault kv get -format=json -namespace= /redisenterprise-/ @@ -577,116 +516,19 @@ Solutions: ### Debugging commands -#### Check operator logs - +Check operator logs: ```bash kubectl logs -f deployment/redis-enterprise-operator -n -c redis-enterprise-operator ``` -#### Verify Vault configuration - +Verify Vault configuration: ```bash kubectl get configmap operator-environment-config -n -o yaml ``` -#### Test Vault authentication - +Test Vault authentication: ```bash # From within operator pod kubectl exec -it -n -c redis-enterprise-operator -- \ cat /var/run/secrets/kubernetes.io/serviceaccount/token ``` - -## Security best practices - -### Vault configuration - -1. Enable audit logging - - ```bash - vault audit enable file file_path=/vault/logs/audit.log - ``` - -2. Use least privilege policies - - Grant only necessary permissions to Redis Enterprise policies - - Regularly review and update access policies - - Use separate policies for different environments - -3. Implement secret rotation - - Configure automatic rotation for database passwords - - Use Vault's dynamic secrets when possible - - Monitor secret access patterns - -4. Secure network communication - - Always use TLS for Vault communication - - Implement network policies to restrict access - - Use private networks when possible - -### Kubernetes security - -1. Service account management - - Use dedicated service accounts for each Redis Enterprise deployment - - Implement RBAC with minimal required permissions - - Regularly audit service account usage - -2. Secret management - - Never store secrets in container images or configuration files - - Use Kubernetes secrets only for Vault CA certificates - - Implement secret scanning in CI/CD pipelines - -3. Network policies - - ```yaml - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: redis-enterprise-vault-access - spec: - podSelector: - matchLabels: - app: redis-enterprise-operator - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - name: vault - ports: - - protocol: TCP - port: 8200 - ``` - -### Monitoring and alerting - -1. Monitor Vault access - - Set up alerts for failed authentication attempts - - Monitor secret access patterns - - Track token usage and expiration - -2. Redis Enterprise monitoring - - Monitor operator pod health and logs - - Set up alerts for secret retrieval failures - - Track cluster and database creation events - -3. Security scanning - - Regularly scan container images for vulnerabilities - - Implement runtime security monitoring - - Audit Vault policies and access patterns - -### Compliance considerations - -1. Data encryption - - Ensure data is encrypted in transit and at rest - - Use strong encryption algorithms - - Regularly rotate encryption keys - -2. Access control - - Implement multi-factor authentication for Vault access - - Use role-based access control (RBAC) - - Maintain audit trails for all access - -3. Backup and recovery - - Regularly backup Vault data - - Test disaster recovery procedures - - Implement cross-region replication for high availability From e09353f9d3aa8e7d2aef87ac2843e07a88019a0b Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael <76962844+kaitlynmichael@users.noreply.github.com> Date: Tue, 21 Oct 2025 10:25:11 -0500 Subject: [PATCH 5/6] Update content/operate/kubernetes/security/vault.md Co-authored-by: andy-stark-redis <164213578+andy-stark-redis@users.noreply.github.com> --- content/operate/kubernetes/security/vault.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md index b6681f8658..56c133559d 100644 --- a/content/operate/kubernetes/security/vault.md +++ b/content/operate/kubernetes/security/vault.md @@ -10,7 +10,7 @@ linkTitle: HashiCorp Vault integration weight: 97 --- -HashiCorp Vault can be configured as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging. +You can configure HashiCorp Vault as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging. ## What secrets are managed by Vault? From 8151c8c5bee1181134905d920d82968d9a9fb599 Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael <76962844+kaitlynmichael@users.noreply.github.com> Date: Tue, 21 Oct 2025 10:25:31 -0500 Subject: [PATCH 6/6] Update content/operate/kubernetes/security/vault.md Co-authored-by: andy-stark-redis <164213578+andy-stark-redis@users.noreply.github.com> --- content/operate/kubernetes/security/vault.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md index 56c133559d..f3b73f5aa6 100644 --- a/content/operate/kubernetes/security/vault.md +++ b/content/operate/kubernetes/security/vault.md @@ -267,12 +267,11 @@ Multi-cluster considerations: When deploying across multiple Kubernetes clusters password= ``` - {{}} - Important notes: + {{< alert title="Important notes" >}} - The username field in the REC spec is ignored when using Vault - The username from the Vault secret takes precedence - Use strong, unique passwords for each cluster - {{}} + {{}}