Overview
The Runlayer platform supports automatic fetching of Sentry Relay credentials from WorkOS Vault for both EKS (Helm) and ECS (Terraform) deployments. This eliminates the need to manually manage relay credentials and ensures they are securely retrieved at deployment time. Deployment Methods:- EKS/Helm: Uses an init container to fetch credentials on pod startup
- ECS/Terraform: Uses Terraform’s external data source to fetch credentials during deployment
How It Works
EKS/Helm Deployments
Whenrelay.vault.enabled is set to true, an init container runs before the Sentry Relay starts:
- The init container executes the fetch script from a ConfigMap
- The script fetches relay credentials from WorkOS Vault using the
AUTH_API_KEYfrom backend secrets - Credentials are written as
credentials.jsonandconfig.ymlto a shared in-memory volume (emptyDirat/.relay) - The main relay container starts with
--config /.relayflag to read the fetched credentials - Relay processes telemetry events with the fetched credentials
ECS/Terraform Deployments
Terraform uses an external data source to fetch credentials during the deployment:- Terraform calls the
vault-fetch-relay.shscript as an external data source - The script fetches credentials from WorkOS Vault and returns them as JSON
- Terraform creates ECS task definition environment variables with the credentials
- ECS tasks start with the credentials already configured
Prerequisites
1. WorkOS Vault Setup (Both EKS and ECS)
Ensure your Sentry Relay credentials are stored in WorkOS Vault with the following structure: Secret Name:runlayer-sentry-credentials
Secret Value (JSON):
The
sentry_dsn field is optional and can be overridden per environment via the backend.secrets.SENTRY_DSN value (EKS) or Terraform variables (ECS).2. Provide WorkOS API Key
- EKS/Helm
- ECS/Terraform
Ensure your The relay init container will automatically use this API key to fetch credentials from WorkOS Vault.
backend.secrets.AUTH_API_KEY is set in your Helm values:Configuration
EKS/Helm Configuration
In your Helm values file, configure the vault integration:Deploy with Vault Integration
How the Init Container Works
When a relay pod starts withrelay.vault.enabled: true:
- ConfigMap Creation: Helm creates a ConfigMap named
<release-name>-relay-fetch-scriptcontaining the fetch script - Init Container Starts: The init container mounts:
- The ConfigMap at
/scripts/fetch-relay-credentials.sh(read-only) - An empty memory volume at
/.relay(read-write) - The
backend-secretto readAUTH_API_KEY
- The ConfigMap at
- Credential Fetch: The init container executes the script which:
- Installs
curl,jq, andca-certificatesin the Alpine container - Fetches credentials from WorkOS Vault using the API key
- On success: Writes
credentials.jsonandconfig.ymlto/.relay - On failure: Writes minimal
config.ymlonly (prevents relay crashes)
- Installs
- Main Container Starts: After the init container completes:
- The relay container mounts
/.relayas read-only - Relay starts with
--config /.relayflag - Relay reads credentials and begins processing events
- The relay container mounts
ECS/Terraform Configuration
In your Terraform configuration, the vault integration is automatic when you provide the WorkOS API key:Graceful Degradation
EKS/Helm
If credentials are not available in WorkOS Vault:- The init container exits successfully (exit code 0)
- A minimal
config.ymlis written to the shared volume (prevents relay crashes) - No credentials are written (relay starts but remains non-functional)
- Relay pods start successfully but cannot process telemetry
- The backend continues to work without Sentry telemetry
ECS/Terraform
If credentials are not available in WorkOS Vault:- The external data source returns empty values
- Terraform creates the task definition with empty credential environment variables
- ECS tasks start but relay remains non-functional
- The backend continues to work without Sentry telemetry
Security Considerations
Credential Storage
- EKS/Helm
- ECS/Terraform
When
relay.vault.enabled is true:- The fetch script is stored in a ConfigMap and mounted into the init container
- Credentials are fetched by an init container on each pod start
- Credentials are written as
credentials.jsonandconfig.ymlto/.relaydirectory - The
/.relaydirectory is an in-memoryemptyDirvolume (never written to disk, 1Mi size limit) - The volume is shared only between the init container and relay container (read-only for relay)
- Credentials are automatically cleared when the pod terminates
- No RBAC permissions required - init container only writes to local volume
Network Access
- EKS/Helm
- ECS/Terraform
The init container needs network access to reach the WorkOS Vault API at
https://api.workos.com. Ensure your cluster’s network policies allow outbound HTTPS traffic.Troubleshooting
- EKS/Helm
- ECS/Terraform
Check Init Container Status
Common Issues
Init Container Fails with “WORKOS_API_KEY not found”EnsureAUTH_API_KEY is set in your backend.secrets:Configuration Reference
EKS/Helm Vault Settings
| Parameter | Description | Default |
|---|---|---|
relay.vault.enabled | Enable automatic credential fetching via init container | true |
relay.vault.vaultSecretName | Name in WorkOS Vault | runlayer-sentry-credentials |
relay.vault.apiBase | WorkOS API base URL | https://api.workos.com |
relay.vault.initContainer.image | Container image for the init container | alpine:3.20 |
relay.vault.initContainer.resources | Resource limits for the init container | See values.yaml |
backend.secrets.AUTH_API_KEY | WorkOS API key (used by relay init container) | (required) |
relay.vault.enabled is true:
- The init container mounts a ConfigMap containing the fetch script at
/scripts/fetch-relay-credentials.sh - Credentials are written to
/.relaydirectory (in-memoryemptyDirvolume) - The relay container uses
--config /.relayflag to load credentials on startup - The
sentry-relay-secretKubernetes secret is not created (vault takes precedence)
ECS/Terraform Environment Variables
Thevault-fetch-relay.sh script supports the following environment variables:
| Variable | Description | Default |
|---|---|---|
WORKOS_API_BASE | WorkOS API base URL | https://api.workos.com |
WORKOS_VAULT_SECRET_NAME | Secret name in WorkOS Vault | runlayer-sentry-credentials |
Script Locations
| Deployment Type | Script Location | Purpose | Input/Output |
|---|---|---|---|
| ECS/Terraform | infra/aws-terraform-ecs/scripts/vault-fetch-relay.sh | Terraform external data source | stdin: JSON with api_key stdout: JSON with credentials |
| EKS/Helm (init container) | infra/aws-helm/anysource-chart/files/fetch-relay-credentials.sh | Init container script | env vars: WORKOS_API_KEY, etc. output: writes credentials.json and config.yml to /.relay |
| EKS/Helm (external) | scripts/helm-fetch-vault-credentials.sh | CLI wrapper for testing | env: WORKOS_API_KEY output: temporary values file |
- ECS script: Reads API key from stdin (JSON), outputs credentials to stdout (JSON), uses curl with retry logic
- EKS init container script: Reads API key from environment variables, writes credentials to files (
credentials.jsonandconfig.yml), uses curl with retry logic - EKS external script: Calls the ECS script internally, converts JSON output to Helm values file format
The external Helm script (
scripts/helm-fetch-vault-credentials.sh) uses the ECS script internally to avoid code duplication, then transforms the JSON output into a Helm values YAML file.