This topic shows you how to integrate External Secrets Operator with HashiCorp Vault in Tanzu Application Platform.
The operator synchronizes secret data from external APIs to a Kubernetes secret resource. For more information about Kubernetes secret resources, see the Kubernetes documentation.
ImportantThis example integration is constructed to showcase the features available and must not be considered in a production environment.
Before proceeding with this example, you must:
Install External Secrets Operator. For more information, see Install External Secrets Operator.
Install the Tanzu CLI. The Tanzu CLI includes the plug-in external-secrets
. For Tanzu CLI installation, see Tanzu CLI.
Have a running instance of HashiCorp Vault. In this instance, there is a secret defined with the key eso-demo/reg-cred
.
To set up the External Secrets Operator integration with HashiCorp Vault:
Create a Secret
with the vault token. For example:
VAULT_TOKEN="vault-token-value"
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: vault-token
stringData:
token: $VAULT_TOKEN
EOF
Create a SecretStore
resource referencing the vault-token
secret. For example:
CautionWhen creating the
SecretStore
, ensure that you match the Vault KV secret engine version. This is eitherv1
orv2
. The default isv2
. For more information, see Vault KV Secrets Engine documentation.
VAULT_SERVER="http://my.vault.server:8200"
VAULT_PATH="eso-demo"
cat <<EOF | tanzu external-secrets store create -y -f -
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-secret-store
spec:
provider:
vault:
server: $VAULT_SERVER
path: $VAULT_PATH
version: v2
auth:
tokenSecretRef:
name: "vault-token" # vault-token created in the previous step
key: "token"
EOF
ImportantIf you are using a secret store service with a custom CA certificate then you must provide this certificate to External Secret Operator directly by including the CA
SecretStore
orClusterSecretStore
resource.The Tanzu Application Platform distribution of External Secret Operator does not support the Tanzu Application Platform field
shared.ca_cert_data
. For more information about setting the CA in the ESO configuration, see the ESO documentation.
Verify that the status of the SecretStore
resource is Valid
by running:
tanzu external-secrets store list
Example output:
NAMESPACE NAME PROVIDER STATUS
default vault-secret-store Hashicorp Vault Valid
Create an ExternalSecret
resource that uses the SecretStore
you just created by running:
cat <<EOF | tanzu external-secrets secret create -y -f -
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-secret-example
spec:
refreshInterval: 15m
secretStoreRef:
name: vault-secret-store
kind: SecretStore
target:
name: registry-secret
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: "{{ .registryCred | toString }}"
creationPolicy: Owner
data:
- secretKey: registryCred
remoteRef:
key: $VAULT_PATH/eso-demo
property: reg-cred
EOF
Verify that the status of the ExternalSecret
resource is Valid
by running:
tanzu external-secrets secret list
Example output:
NAMESPACE NAME SECRET NAME STORE REFRESH INTERVAL STATUS LAST UPDATED LAST REFRESH
default vault-secret-example registry-secret vault-secret-store 15m SecretSynced 21s 10m
After the resource has reconciled, a Kubernetes secret
resource is created. Look for a secret named registry-secret
created by the referenced ExternalSecret
. For example:
kubectl get secrets registry-secret -o="jsonpath={.data.\.dockerconfigjson}" | base64 -D
{"auths":{"my-registry.example:8200":{"username":"foo","password":"bar4","email":"foo@bar.example","auth":"Zm9vOmJhcjQ="}}}