Vault Secrets Operator with HCP Vault Secrets
The Vault secrets operator (VSO) syncs your HCP Vault Secrets app (HVSA) to
a Kubernetes Secret. Vault syncs each HCPVaultSecretsApp
custom resource periodically to ensure that
changes to the secret source are properly reflected in the Kubernetes secret.
Features
- Periodic synchronization of HCP Vault Secrets app to a destination Kubernetes Secret.
- Automatic drift detection and remediation when the destination Kubernetes Secret is modified or deleted.
- Supports all VSO features, including rollout-restarts on secret rotation or during drift remediation.
- Supports authentication to HCP using HCP service principals.
- Supports static, auto-rotating and dynamic secrets within an HCP Vault Secrets app.
Supported HCP authentication methods
Backend | Description |
---|---|
HCP Service Principals | Relies on static credentials for authenticating to HCP |
HCP Vault Secrets sync example
The following Kubernetes configuration can be used to sync the HCP Vault Secrets app, vso-example
,
to the Kubernetes Secret, vso-app-secret
, in the vso-example-ns
Kubernetes Namespace. It assumes that
you have already setup service principal Kubernetes secret,
and have created the HCP Vault Secrets app.
Use the following Kubernetes configuration to sync your HCP Vault Secrets app, vso-example
,
to the Kubernetes secret, vso-app-secret
, in the vso-example-ns
Kubernetes namespace.
The example configuration assumes you already a HCP Vault Secrets app created and have your
service principal Kubernetes secret
configured.
Refer to the Kubernetes VSO installation guide before applying any of the example configurations below.
---apiVersion: secrets.hashicorp.com/v1beta1kind: HCPAuthmetadata: name: hcp-auth namespace: vso-example-nsspec: organizationID: xxxxxxxx-76e9-4e17-b5e9-xxxxxxxx4c33 projectID: xxxxxxxx-bd16-443f-a266-xxxxxxxxcb52 servicePrincipal: secretRef: vso-app-sp---apiVersion: secrets.hashicorp.com/v1beta1kind: HCPVaultSecretsAppmetadata: name: vso-app namespace: vso-example-nsspec: appName: vso-app hcpAuthRef: hcp-auth destination: create: true name: vso-app-secret
Static Secrets
VSO supports syncing static secrets from an HCP Vault Secrets app to a Kubernetes Secret. VSO syncs the secrets to Kubernetes on the refreshAfter interval set in the HCPVaultSecretsApp spec.
Auto-rotating and Dynamic Secrets
Feature availability
VSO v0.9.0
VSO also supports syncing auto-rotating and dynamic secrets from an HCP Vault Secrets app to a Kubernetes Secret.
VSO syncs auto-rotating secrets along with static secrets on the refreshAfter interval, and rotation is handled by HCP. VSO syncs dynamic secrets when the specified percentage of their TTL has elapsed. Each sync of a dynamic secret generates a new set of credentials.
An auto-rotating or dynamic secret can have multiple key-value pairs, which are rendered in the destination Kubernetes Secret as both a nested map and flattened key-value pairs. For example:
apiVersion: v1kind: Secretdata: secret_name: {"key_one": "value_one", "key_two": "value_two"} secret_name_key_one: "value_one" secret_name_key_two: "value_two"...
Transformation template commands like get
and dig
in the HCPVaultSecretsApp Destination can be used to extract values from the
nested map format:
transformation: templates: secret_one: text: '{{- get (get .Secrets "secret_name") "key_one" -}}' secret_two: text: '{{- dig "secret_name" "key_two" "<missing>" .Secrets -}}'
For more details on any of the custom resources mentioned here, please see the api-reference.
Tutorial
Refer to the HCP Vault Secrets with Vault Secrets Operator for Kubernetes tutorial to learn the end-to-end workflow using the Vault Secrets Operator.