Enterprise Open source

Configure Grafana Mimir to allow Vault Agent to inject certificates and keys into Pods

When you enable this feature, Helm updates the annotations on all Pods that have TLS (transport layer security) configurable components. When you deploy Mimir or GEM, Vault Agent fetches the relevant secrets from Vault according to the annotations and mounts them to the Pod.

Note: Vault and Vault Agent must to be running already.

Example values.yaml file:

  enabled: true
  roleName: "test-role"
  clientCertPath: "client/cert/path"
  clientKeyPath: "client/key/path"
  serverCertPath: "server/cert/path"
  serverKeyPath: "server/key/path"
  caCertPath: "ca/cert/path"

Generated Kubernetes Deployment YAML file based on the preceding example:

apiVersion: apps/v1
kind: Deployment
  name: release-name
  labels: mimir-release-1.2.3 mimir release-name comonent-name "123" Helm
  annotations: {}
  namespace: "default"
  replicas: 1
    matchLabels: mimir release-name component-name
    type: RollingUpdate
      annotations: "true" "test-role" "client/cert/path" "client/key/path" "server/cert/path" "server/key/path" "ca/cert/path"<FILENAME>: '<PATH>' tells Vault Agent where to find the secret, and the name of the file to write the secret to. For example: 'client/cert/path' will look for the secret at the path client/cert/path within Vault, and mount this secret to the pod as client.crt in the /vault/secrets/ directory.

For more information about Vault and Vault Agent, see Injecting Vault Secrets Into Kubernetes Pods via a Sidecar.

To configure TLS in Mimir, refer to Securing Grafana Mimir communications with TLS