This guide will help you deploy the WALLIX Simple Integration on your OpenShift/Kubernetes lab.
-
OpenShift/Kubernetes cluster access
ocCLI tool installed (for OpenShift)- OR
kubectlCLI tool installed (for Kubernetes) - Logged in to your cluster
-
WALLIX Bastion
- WALLIX Bastion accessible from your cluster
- API user with checkout permissions
- API key generated
-
Network connectivity
- Cluster can reach WALLIX Bastion (typically HTTPS/443)
cd Docker_k8s_openshift/Openshift/WALLIX_Simple_Integration/scripts# Copy the example config
cp wallix-config.env.example wallix-config.env
# Edit with your WALLIX Bastion details
nano wallix-config.env # or vim, vi, code, etc.Required configuration:
# Your WALLIX Bastion URL
BASTION_URL="https://your-bastion.example.com"
# API credentials
API_USER="admin"
API_KEY="your-actual-api-key-here"
# Secret to retrieve (format: account@target@domain)
SECRET_KEY="admin@myserver@production.local"./deploy-lab.shThe script will:
- ✅ Check cluster connectivity
- ✅ Validate WALLIX Bastion access
- ✅ Test API credentials
- ✅ Let you choose deployment type
- ✅ Deploy to your cluster
The script will ask you to select:
Option 1: Init Container (Recommended)
- Fetches secrets at pod startup
- Stores in memory (secure)
- Best for most use cases
Option 2: CronJob Sync
- Periodic secret synchronization
- Good for automatic secret rotation
- Creates Kubernetes secrets
Option 3: Test Connection
- Just tests WALLIX connectivity
- No application deployed
If you prefer manual deployment:
kubectl create namespace wallix-demo
# or for OpenShift:
oc new-project wallix-demokubectl create secret generic wallix-api-credentials \
--from-literal=api-user='admin' \
--from-literal=api-key='YOUR_API_KEY' \
-n wallix-demo# Edit the example file first
nano ../examples/init-container-wallix.yaml
# Update these values:
# - your-bastion.example.com → Your Bastion URL
# - admin@db-postgres@prod.local → Your secret key
# Apply
kubectl apply -f ../examples/init-container-wallix.yaml -n wallix-demo# Check pods
kubectl get pods -n wallix-demo
# View init container logs
kubectl logs -n wallix-demo <pod-name> -c fetch-wallix-password
# View application logs
kubectl logs -n wallix-demo <pod-name> -c appkubectl get pods -n wallix-demoExpected output:
NAME READY STATUS RESTARTS AGE
app-with-wallix-secrets-xxxxxxxxxx-xxxxx 1/1 Running 0 30s
POD_NAME=$(kubectl get pods -n wallix-demo -l app=myapp -o jsonpath='{.items[0].metadata.name}')
kubectl logs -n wallix-demo $POD_NAME -c fetch-wallix-passwordExpected output:
Fetching password from WALLIX Bastion...
Password successfully fetched and stored
# Exec into the pod and check the secret file
kubectl exec -it -n wallix-demo $POD_NAME -- cat /secrets/database-password# Test connectivity from a pod
kubectl run -it --rm test --image=curlimages/curl -n wallix-demo -- \
curl -k https://your-bastion.example.comSolutions:
- Verify Bastion URL
- Check network policies
- Verify firewall rules
- Check DNS resolution
Symptoms:
ERROR: Failed to fetch password
HTTP 401 Unauthorized
Solutions:
- Verify API_USER in secret
- Verify API_KEY in secret
- Check user has checkout permissions in WALLIX
- Regenerate API key if needed
Symptoms:
ERROR: Failed to fetch password
HTTP 404 Not Found
Solutions:
- Verify secret key format:
account@target@domain - Check the account exists in WALLIX
- Check the target exists in WALLIX
- Check the domain exists in WALLIX
- Verify user has access to this account
# View detailed init container logs
kubectl describe pod -n wallix-demo $POD_NAME
# Check events
kubectl get events -n wallix-demo --sort-by='.lastTimestamp'# Check if jq is available in the init container
kubectl exec -it -n wallix-demo $POD_NAME -c fetch-wallix-password -- jq --versionIf jq is missing, the curl command won't parse JSON correctly.
Located in examples/init-container-wallix.yaml:
-
Simple single secret
- One init container
- One database password
- Basic setup
-
Multiple secrets
- Multiple init containers
- Database password + API key
- Advanced setup
Located in examples/cronjob-wallix-sync.yaml:
- Runs every 15 minutes (customizable)
- Syncs multiple secrets
- Creates Kubernetes secrets
- Applications use standard secret mounts
Located in examples/test-wallix-connection.yaml:
- Simple test pod
- Validates API connectivity
- Shows secret retrieval
- No persistent deployment
-
Use Network Policies
# Limit which pods can access WALLIX Bastion kubectl apply -f network-policy.yaml -
Use RBAC
# Limit access to wallix-api-credentials secret kubectl create role secret-reader --verb=get --resource=secrets -
Use Memory volumes
- Init container examples use
emptyDirwithmedium: Memory - Secrets never touch disk
- Init container examples use
-
Rotate API keys regularly
- Update secret:
kubectl create secret generic wallix-api-credentials ... --dry-run=client -o yaml | kubectl apply -f -
- Update secret:
-
Use valid TLS certificates
- Replace
-kflag in curl commands - Add WALLIX CA to container image
- Replace
For issues or questions:
- Check the troubleshooting section above
- Review WALLIX Bastion logs
- Check Kubernetes/OpenShift events and logs
- Contact WALLIX support
After successful deployment:
-
Customize for your application
- Edit deployment YAML
- Add your application container
- Configure environment variables
-
Add more secrets
- Add more init containers
- Retrieve multiple passwords
- Store in separate files
-
Implement secret rotation
- Use CronJob pattern
- Configure rotation schedule
- Update application to reload secrets
-
Production hardening
- Use valid TLS certificates
- Configure network policies
- Set resource limits
- Add monitoring and alerting