Skip to main content
Skip table of contents

Configure Vault for Redis Dynamic Database Credentials

Check if redis-crt is present in vault namespace

CODE 
kubectl get secrets -n vault

If it’s not present, run the following command to copy it from ef-external namespace

CODE 
kubectl get secret redis-crt -n ef-external  -o yaml | sed 's/namespace: ef-external/namespace: vault/' | kubectl create -f -

Exec into the vault pod

CODE 
kubectl -n vault exec -it vault-0 -- sh

Enable database engine

CODE 
vault secrets enable database

Calculate the hash of the installed plugin binary

CODE 
sha256sum /vault/plugins/vault-plugin-database-redis

Result: This command will output a long string (the SHA256 hash). Copy this hash.

Register the Plugin

Set your token (required for sys/plugins/catalog access)

CODE 
export VAULT_TOKEN="<YOUR_VAULT_ROOT_TOKEN>"

Register the plugin using the calculated hash

CODE 
vault write sys/plugins/catalog/redis-database-plugin-new-test \
    sha_256="<PASTE_YOUR_SHA256_HASH_HERE>" \
    command="vault-plugin-database-redis"

Configure the Redis Connection

CODE 
vault write database/config/redis-database \
    plugin_name="redis-database-plugin-new-test" \
    allowed_roles="redis-role" \
    tls="true" \
    ca_cert=@/vault/userconfig/redis-crt/ca.crt \
    host="redis-master-0.redis-headless.ef-external.svc.cluster.local" \
    port="6379" \
    username="superuser" \
    password="Expertflow464"

Set TTLs for database engine (default 768h → set to 87600h)

CODE 
vault secrets tune -default-lease-ttl=87600h -max-lease-ttl=87600h database/
CODE 
vault write database/roles/redis-role \
    db_name="redis-database" \
    creation_statements='["+@all", "~*"]' \
    default_ttl="87600h" \
    max_ttl="87600h"

Write policy for the role

CODE 
vault policy write ef-policy - <<EOF
path "/transit/export/*" {
  capabilities = ["read"]
}
path "database/creds/*" {
  capabilities = ["read"]
}
EOF

Attach policy to the role

CODE 
vault write auth/approle/role/expertflow policies="ef-policy"

Exit pod

CODE 
exit

How to change TTL of credentials

Exec into the vault pod

CODE 
kubectl -n vault exec -it vault-0 -- sh

Update TTLs for database engine

Set TTLs for database engine (by default they are at 768h), if you want the role TTLs to be greater than 768h.

CODE 
vault secrets tune -default-lease-ttl=87600h -max-lease-ttl=87600h database/

Update TTLs for Redis role

Change default_ttl and max_ttl for the role in the below command:

CODE 
vault write database/roles/redis-role \
    db_name="redis-database" \
    creation_statements='["+@all", "~*"]' \
    default_ttl="87600h" \
    max_ttl="87600h"
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close