App owner: Set up workloads in Kubernetes

This section describes how to set up your workloads in Kubernetes so that they can retrieve secrets from Conjur.

For a comparison of the available methods for authenticating Kubernetes workloads to Conjur, see Authentication methods: certificate-based vs JWT -based

Secret retrieval methods for Kubernetes workloads

Kubernetes workloads can use the following methods to retrieve secrets:

Secrets retrieved from	Method	Description
Kubernetes secrets or share volume file	Secrets Provider for Kubernetes	The Secrets Provider for Kubernetes populates Kubernetes Secrets or a shared volume file with secrets stored and managed in Conjur. For more information, see CyberArk Secrets Provider for Kubernetes.
Environment variables	Kubernetes Authenticator Client	Using Conjur client libraries Ruby (v5.3.1) Go (v0.5.0) Java (v2.0.0) .NET (v1.4.0)
		Using the Conjur REST API The workload can use the access token provided by the authenticator to retrieve secrets from the Conjur REST API. For more information, see Authenticate using REST APIs.
		Using Summon, CyberArk Conjur Open Source tool used to retrieve secrets from Conjur and push values into environment variables or a volume mount. On application startup, Summon waits for the sidecar to provide an access token for authentication with Conjur.