In today’s cloud-native world, security isn’t just a checkbox — it’s foundational. When managing business-critical workloads like databases in Kubernetes, particularly with robust platforms such as 
Secrets stored this way will be consumed by Fujitsu Enterprise Postgres via the Secret Store CSI Driver and HashiCorp Vault CSI Provider.
Broadening the capabilities of Fujitsu Enterprise Postgres for Kubernetes
Fujitsu Enterprise Postgres is a hardened, enterprise-ready distribution of PostgreSQL, offering enhanced features, dedicated support, and additional layers of security and performance tuning. It’s designed for organizations that need reliability and compliance in their database infrastructure — often for mission-critical applications.
Fujitsu Enterprise Postgres for Kubernetes extends that power into a modern orchestration platform. But with that comes a need to rethink how we manage sensitive data. Kubernetes secrets alone are often not sufficient for organizations with stringent security postures. Enter HashiCorp Vault.
The problem: Managing secrets securely in Kubernetes
Kubernetes does provide its own secrets management system — but it has limitations:
- Secrets are base64-encoded, not encrypted at rest (unless you configure etcd encryption).
- Access controls can be coarse and hard to audit comprehensively.
- Secrets are often long-lived, which increases the risk if they’re ever leaked.
For an enterprise database like Fujitsu Enterprise Postgres, where you're managing credentials, certificates, and potentially regulatory data, these shortcomings can be risky.
The solution: HashiCorp Vault
HashiCorp Vault is a secrets management system purpose-built for dynamic, secure storage and access to sensitive data. HashiCorp Vault brings a number of advantages:
- Strong access controls using policies and identity-based authentication.
- Auditability of secret access and usage.
- Support for secret rotation and revocation.
- Integration with Kubernetes via CSI Drivers, allowing secrets to be securely injected into pods without storing them in etcd.
Demo: Integrating Fujitsu Enterprise Postgres for Kubernetes with HashiCorp Vault
To demonstrate how to enhance the security of Fujitsu Enterprise Postgres running on a Kubernetes cluster by integrating it with HashiCorp Vault, we created a demo (see below). We walk through the process of securely storing and retrieving sensitive information like database credentials and TLS certificates from HashiCorp Vault, enabling Fujitsu Enterprise Postgres to consume them seamlessly via the Secret Store CSI Driver and Vault CSI Provider.
In our demo, we used HashiCorp Vault to store:
- Postgres usernames and passwords
- TLS certificates for encrypted traffic within the Kubernetes cluster
The goal? To ensure that Fujitsu Enterprise Postgres consumes secrets securely at runtime, with no hardcoded credentials or risk-prone configurations.
How it works: High-level architecture
Here’s a quick overview of the setup:
- HashiCorp Vault server installation
We installed HashiCorp Vault on a virtual machine outside the Kubernetes cluster — a common approach in enterprises to isolate HashiCorp Vault from cluster-level failures. - CSI Driver and Vault provider setup
The Kubernetes cluster (OpenShift in our case) was configured with the Secrets Store CSI Driver and the Vault CSI Provider. This allows Kubernetes pods to fetch secrets from HashiCorp Vault at runtime. - Authentication and policies
A Kubernetes service account was granted access via Vault's Kubernetes authentication method. Policies were defined to limit access to the specific secrets required by the Fujitsu Enterprise Postgres cluster. - Secret injection at runtime
When deploying the Fujitsu Enterprise Postgres cluster, we configured it to fetch secrets directly from HashiCorp Vault using the CSI driver. Secrets like database credentials and certificates were mounted securely into the pods at runtime — never stored in plaintext in etcd or the container images.
A word about TLS certificates
One nuance worth highlighting: While HashiCorp Vault offers a powerful PKI engine, in this use case, we didn’t use it to generate TLS certificates.
Why? Because the PKI engine does not store private keys, which are required by Fujitsu Enterprise Postgres for Kubernetes to function properly. So, we created a self-signed RSA 4096-bit certificate, including Subject Alternative Names (SANs) for all exposed services, and stored the concatenated certificate and private key in HashiCorp Vault manually.
This approach balances control and security, especially for clusters that need end-to-end TLS.
Deployment recap: Bringing it all together
Once everything was in place, deploying the Fujitsu Enterprise Postgres cluster was straightforward:
- Define the HashiCorp Vault integration in the YAML spec for the Fujitsu Enterprise Postgres cluster.
- Set the role, provider, and HashiCorp Vault address.
- Specify the secret paths for credentials and certificates.
Upon deployment:
- The Fujitsu Enterprise Postgres pod initializes and fetches secrets from HashiCorp Vault.
- The database starts with the correct credentials and certificate.
- No secrets are hardcoded, exposed, or leaked in the cluster.
We verified this by logging into the HashiCorp Vault UI to confirm the secret values, and then tested database login using the injected credentials. It worked exactly as expected — secure, repeatable, and auditable.
Why is HashiCorp Vault crucial for protecting Fujitsu Enterprise Postgres for Kubernetes?
Running Fujitsu Enterprise Postgres for Kubernetes provides numerous advantages, including scalability and operational efficiency. However, managing sensitive credentials like database usernames, passwords, and TLS certificates within a Kubernetes environment can introduce complexities and potential security risks if not handled correctly. This is where HashiCorp Vault steps in as a powerful solution:
- Centralized Secret Management: Vault provides a single, auditable location to store, access, and manage all your secrets. This eliminates the need to hardcode sensitive information in application configurations or Kubernetes manifests, significantly reducing the attack surface.
- Enhanced Security: Vault encrypts secrets at rest and in transit, ensuring that sensitive data is protected from unauthorized access. Its robust authentication and authorization mechanisms allow you to precisely control which applications and users can access specific secrets.
- Dynamic Secret Generation: Vault can generate dynamic secrets on demand, such as temporary database credentials. This reduces the risk associated with long-lived static secrets and simplifies the process of rotating credentials.
- Simplified Secret Consumption: By leveraging the Secret Store CSI Driver and the HashiCorp Vault CSI Provider, Fujitsu Enterprise Postgres for Kubernetes can seamlessly consume secrets stored in Vault. This eliminates the need for manual secret retrieval and management within your application deployments. As shown in the demo, the CSI driver dynamically fetches the necessary credentials and makes them available as Kubernetes secrets, which Fujitsu Enterprise Postgres can then utilize.
- Secure TLS Configuration: Protecting communication with your Fujitsu Enterprise Postgres cluster using TLS is vital. Vault can securely store and manage TLS certificates, as demonstrated in the video where a certificate with Service Alternative Names (SANs) for the Fujitsu Enterprise Postgres services was created and stored in Vault. While the demo highlighted a self-signed certificate for simplicity, in production environments, you would typically integrate with a trusted Certificate Authority.
- Audit Logging: Vault maintains a detailed audit log of all secret access and management operations. This provides valuable insights for security monitoring and compliance purposes.
Final thoughts
Integrating HashiCorp Vault with your Fujitsu Enterprise Postgres deployments on Kubernetes is a significant step towards enhancing the security and operational efficiency of your database infrastructure. By centralizing secret management, enforcing robust access controls, and simplifying secret consumption, HashiCorp Vault empowers enterprises to protect their sensitive data effectively in dynamic Kubernetes environments.
Explore the capabilities of HashiCorp Vault further by checking their website. By leveraging the power of HashiCorp Vault alongside Fujitsu Enterprise Postgres for Kubernetes, you can ensure a more secure and resilient foundation for your business-critical applications.
is an enhanced distribution of PostgreSQL, 100% compatible and with extended features.
