Integrate External Secrets Operator with HashiCorp Vault in Tanzu Application Platform

This topic shows you how to integrate External Secrets Operator with HashiCorp Vault in Tanzu Application Platform.

The operator synchronizes secret data from external APIs to a Kubernetes secret resource. For more information about Kubernetes secret resources, see the Kubernetes documentation.

Important

This example integration is constructed to showcase the features available and must not be considered in a production environment.

Prerequisites

Before proceeding with this example, you must:

  • Install External Secrets Operator. For more information, see Install External Secrets Operator.

  • Install the Tanzu CLI. The Tanzu CLI includes the plug-in external-secrets. For Tanzu CLI installation, see Tanzu CLI.

  • Have a running instance of HashiCorp Vault. In this instance, there is a secret defined with the key eso-demo/reg-cred.

Set up the integration

To set up the External Secrets Operator integration with HashiCorp Vault:

  1. Create a Secret with the vault token. For example:

    VAULT_TOKEN="vault-token-value"
    
    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
    name: vault-token
    stringData:
    token: $VAULT_TOKEN
    EOF
    
  2. Create a SecretStore resource referencing the vault-token secret. For example:

    Caution

    When creating the SecretStore, ensure that you match the Vault KV secret engine version. This is either v1 or v2. The default is v2. For more information, see Vault KV Secrets Engine documentation.

    VAULT_SERVER="http://my.vault.server:8200"
    VAULT_PATH="eso-demo"
    
    cat <<EOF | tanzu external-secrets store create -y -f -
    ---
    apiVersion: external-secrets.io/v1beta1
    kind: SecretStore
    metadata:
      name: vault-secret-store
    spec:
      provider:
        vault:
          server: $VAULT_SERVER
          path: $VAULT_PATH
          version: v2
          auth:
            tokenSecretRef:
              name: "vault-token" # vault-token created in the previous step
              key: "token"
    EOF
    
    Important

    If you are using a secret store service with a custom CA certificate then you must provide this certificate to External Secret Operator directly by including the CA SecretStore or ClusterSecretStore resource.

    The Tanzu Application Platform distribution of External Secret Operator does not support the Tanzu Application Platform field shared.ca_cert_data. For more information about setting the CA in the ESO configuration, see the ESO documentation.

  3. Verify that the status of the SecretStore resource is Valid by running:

    tanzu external-secrets store list
    

    Example output:

    NAMESPACE  NAME                PROVIDER         STATUS
    default    vault-secret-store  Hashicorp Vault  Valid
    
  4. Create an ExternalSecret resource that uses the SecretStore you just created by running:

    cat <<EOF | tanzu external-secrets secret create -y -f -
    ---
    apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: vault-secret-example
    spec:
      refreshInterval: 15m
      secretStoreRef:
        name: vault-secret-store
        kind: SecretStore
      target:
        name: registry-secret
        template:
          type: kubernetes.io/dockerconfigjson
          data:
            .dockerconfigjson: "{{ .registryCred | toString }}"
        creationPolicy: Owner
      data:
      - secretKey: registryCred
        remoteRef:
          key: $VAULT_PATH/eso-demo
          property: reg-cred
    EOF
    
  5. Verify that the status of the ExternalSecret resource is Valid by running:

    tanzu external-secrets secret list
    

    Example output:

    NAMESPACE  NAME                  SECRET NAME      STORE               REFRESH INTERVAL  STATUS             LAST UPDATED  LAST REFRESH
    default    vault-secret-example  registry-secret  vault-secret-store  15m               SecretSynced  21s           10m
    
  6. After the resource has reconciled, a Kubernetes secret resource is created. Look for a secret named registry-secret created by the referenced ExternalSecret. For example:

    kubectl get secrets registry-secret -o="jsonpath={.data.\.dockerconfigjson}" | base64 -D
    {"auths":{"my-registry.example:8200":{"username":"foo","password":"bar4","email":"foo@bar.example","auth":"Zm9vOmJhcjQ="}}}
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon