HCP Vault Secrets source
Overview
The Vault secrets operator (VSO) syncs your HCP Vault Secrets app (HVSA) to
a Kubernetes Secret. Vault syncs each HCPVaultSecretsApp
custom resource periodically to ensure that
changes to the secret source are properly reflected in the Kubernetes secret.
Features
- Periodic synchronization of HCP Vault Secrets app to a destination Kubernetes Secret.
- Automatic drift detection and remediation when the destination Kubernetes Secret is modified or deleted.
- Supports all VSO features, including rollout-restarts on secret rotation or during drift remediation.
- Supports authentication to HCP using HCP service principals.
Supported HCP authentication methods
Backend | Description |
---|---|
HCP Service Principals | Relies on static credentials for authenticating to HCP |
HCP Vault Secrets sync example
The following Kubernetes configuration can be used to sync the HCP Vault Secrets app, vso-example
,
to the Kubernetes Secret, vso-app-secret
, in the vso-example-ns
Kubernetes Namespace. It assumes that
you have already setup service principal Kubernetes secret,
and have created the HCP Vault Secrets app.
Use the following Kubernetes configuration to sync your HCP Vault Secrets app, vso-example
,
to the Kubernetes secret, vso-app-secret
, in the vso-example-ns
Kubernetes namespace.
The example configuration assumes you already a HCP Vault Secrets app created and have your
service principal Kubernetes secret
configured.
Refer to the Kubernetes VSO installation guide before applying any of the example configurations below.
---apiVersion: secrets.hashicorp.com/v1beta1kind: HCPAuthmetadata: name: hcp-auth namespace: vso-example-nsspec: organizationID: xxxxxxxx-76e9-4e17-b5e9-xxxxxxxx4c33 projectID: xxxxxxxx-bd16-443f-a266-xxxxxxxxcb52 servicePrincipal: secretRef: vso-app-sp---apiVersion: secrets.hashicorp.com/v1beta1kind: HCPVaultSecretsAppmetadata: name: vso-app namespace: vso-example-nsspec: appName: vso-app hcpAuthRef: hcp-auth destination: create: true name: vso-app-secret
For more details on any of the custom resources mentioned here, please see the api-reference.