This solution provides simple and reliable methods to integrate WALLIX Bastion with Kubernetes/OpenShift, without complex external dependencies.
💡 Self-Signed Certificates: All examples include the
-k(insecure) option forcurlas WALLIX Bastion uses a self-signed certificate by default. For production, configure a valid certificate or add the CA to the container.
- ✅ Simple: No external operator to install
- ✅ Reliable: Proven and maintainable solutions
- ✅ Secure: Secrets stored in memory, no persistent storage
- ✅ Compatible: Works on OpenShift and vanilla Kubernetes
- ✅ Production-ready: Ready to use immediately
Use case: Retrieve secrets at pod startup
How it works:
- An init container runs before the application
- Retrieves the secret from WALLIX Bastion via API
- Stores the secret in a shared volume (memory)
- The application reads the secret from the volume
File: examples/init-container-wallix.yaml
kubectl apply -f examples/init-container-wallix.yamlUse case: Automatic secret synchronization and rotation
How it works:
- A CronJob runs periodically (e.g., every 15 min)
- Retrieves secrets from WALLIX Bastion
- Creates/updates Kubernetes secrets
- Applications use standard Kubernetes secrets
File: examples/cronjob-wallix-sync.yaml
kubectl apply -f examples/cronjob-wallix-sync.yaml- Functional Kubernetes/OpenShift cluster
- Network access to WALLIX Bastion
- WALLIX API key with checkout permissions
# Create secret with WALLIX API credentials
kubectl create secret generic wallix-api-credentials \
--from-literal=api-user='admin' \
--from-literal=api-key='YOUR_WALLIX_API_KEY' \
-n default# 1. Edit the file examples/init-container-wallix.yaml
# Replace:
# - your-bastion.example.com → Your WALLIX Bastion URL
# - admin@db-postgres@prod.local → Your key (format: account@target@domain)
# 2. Apply
kubectl apply -f examples/init-container-wallix.yaml
# 3. Verify
kubectl get pods
kubectl logs <pod-name> -c fetch-wallix-password# 1. Edit the file examples/cronjob-wallix-sync.yaml
# Replace:
# - your-bastion.example.com → Your WALLIX Bastion URL
# - WALLIX keys in the ConfigMap sync.sh
# 2. Apply
kubectl apply -f examples/cronjob-wallix-sync.yaml
# 3. Test manually
kubectl create job --from=cronjob/wallix-secret-sync test-sync
kubectl logs -f job/test-sync
# 4. Verify created secrets
kubectl get secretsFormat: account@target@domain
Examples:
admin@db-postgres@prod.local
root@mysql-server@staging.local
apiuser@external-api@prod.local
deploy@gitserver@dev.localGET /api/targetpasswords/checkout/{account}@{target}@{domain}
Headers:
X-Auth-User: <api-username>
X-Auth-Key: <your-api-key>
Content-Type: application/json
Response:
{
"password": "the-password"
}# Copy the example
cp scripts/wallix-config.env.example scripts/wallix-config.env
# Edit with your values
vi scripts/wallix-config.env
# Test
./scripts/test-wallix-api.sh scripts/wallix-config.envBASTION_URL="https://bastion.example.com" \
API_USER="admin" \
API_KEY="your-key" \
SECRET_KEY="admin@server@domain" \
./scripts/test-wallix-api.sh./scripts/test-wallix-api.sh
# The script will prompt for each value| Feature | Init Container | CronJob |
|---|---|---|
| Use Case | Secret at pod startup | Periodic rotation |
| Complexity | Low | Medium |
| Rotation | Manual (pod restart) | Automatic |
| Dependencies | None | kubectl |
| Network | At startup only | Periodic |
| Best for | Static apps | Dynamic secrets |
# 1. Verify API key
kubectl get secret wallix-api-credentials -o jsonpath='{.data.api-key}' | base64 -d
# 2. Test API manually
curl -k -v \
-H "X-Auth-User: $(kubectl get secret wallix-api-credentials -o jsonpath='{.data.api-user}' | base64 -d)" \
-H "X-Auth-Key: $(kubectl get secret wallix-api-credentials -o jsonpath='{.data.api-key}' | base64 -d)" \
"https://bastion.example.com/api/targetpasswords/checkout/account@domain@target"
# 3. View init container logs
kubectl logs <pod-name> -c fetch-wallix-password
kubectl describe pod <pod-name># Verify CronJob
kubectl get cronjob wallix-secret-sync
kubectl describe cronjob wallix-secret-sync
# Force manual execution
kubectl create job --from=cronjob/wallix-secret-sync manual-test
kubectl logs -f job/manual-test
# Verify RBAC permissions
kubectl auth can-i create secrets --as=system:serviceaccount:default:wallix-secret-sync# Add -k option to curl in manifests
curl -k -H "X-Auth-User: ..." -H "X-Auth-Key: ..." "https://..."
# Or add CA to container (recommended for production)WALLIX_Simple_Integration/
├── README.md # This file
├── examples/
│ ├── init-container-wallix.yaml # Init container pattern
│ ├── cronjob-wallix-sync.yaml # CronJob synchronization
│ └── test-wallix-connection.yaml # Connection test pod
└── scripts/
├── README.md # Scripts documentation
├── test-wallix-api.sh # API test script
├── deploy-init-container.sh # Automated deployment
└── wallix-config.env.example # Configuration template- ✅ Secrets stored in memory (
emptyDirwithmedium: Memory) - ✅ No persistent storage of passwords
- ✅ Kubernetes RBAC for secret access
- ✅ API credentials in Kubernetes secrets
⚠️ Use-konly for dev/test (self-signed certs)- ✅ For production: Configure valid certificates
- Certificates: Use valid TLS certificates (remove
-k) - RBAC: Limit service account permissions
- Rotation: Configure appropriate CronJob schedule
- Monitoring: Add health checks and alerts
- Backup: Document credential recovery procedures
Contributions are welcome! Please ensure:
- All examples use generic/template values
- Documentation is in English
- Code follows Kubernetes best practices
- Never commit real credentials
This project is part of the WALLIX Automation Showroom.