mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-30 18:17:55 +00:00
9ffea8aee5
Doc updates are mostly focused on HCP Vault Secrets support. --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
77 lines
2.8 KiB
Plaintext
77 lines
2.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Secrets Operator with HCP Vault Secrets
|
|
description: >-
|
|
The Vault Secrets Operator allows Pods to consume HCP Vault Secrets natively from Kubernetes Secrets.
|
|
---
|
|
|
|
# HCP Vault Secrets source
|
|
|
|
## Overview
|
|
|
|
The Vault secrets operator (VSO) syncs your [HCP Vault Secrets app](/hcp/docs/vault-secrets) (HVSA) to
|
|
a Kubernetes Secret. Vault syncs each `HCPVaultSecretsApp` custom resource periodically to ensure that
|
|
changes to the secret source are properly reflected in the Kubernetes secret.
|
|
|
|
|
|
## Features
|
|
|
|
- Periodic synchronization of HCP Vault Secrets app to a *destination* Kubernetes Secret.
|
|
- Automatic drift detection and remediation when the destination Kubernetes Secret
|
|
is modified or deleted.
|
|
- Supports all VSO features, including rollout-restarts on secret rotation or
|
|
during drift remediation.
|
|
- Supports authentication to HCP using [HCP service principals](/hcp/docs/hcp/admin/iam/service-principals).
|
|
|
|
|
|
### Supported HCP authentication methods
|
|
|
|
| Backend | Description |
|
|
|----------------------------------------------------------------------|--------------------------------------------------------|
|
|
| [HCP Service Principals](/hcp/docs/hcp/admin/iam/service-principals) | Relies on static credentials for authenticating to HCP |
|
|
|
|
|
|
### HCP Vault Secrets sync example
|
|
|
|
The following Kubernetes configuration can be used to sync the HCP Vault Secrets app, `vso-example`,
|
|
to the Kubernetes Secret, `vso-app-secret`, in the `vso-example-ns` Kubernetes Namespace. It assumes that
|
|
you have already setup [service principal Kubernetes secret](/vault/docs/platform/k8s/vso/api-reference#hcpauthserviceprincipal),
|
|
and have created the HCP Vault Secrets app.
|
|
|
|
Use the following Kubernetes configuration to sync your HCP Vault Secrets app, `vso-example`,
|
|
to the Kubernetes secret, `vso-app-secret`, in the `vso-example-ns` Kubernetes namespace.
|
|
The example configuration assumes you already a HCP Vault Secrets app created and have your
|
|
[service principal Kubernetes secret](/vault/docs/platform/k8s/vso/api-reference#hcpauthserviceprincipal)
|
|
configured.
|
|
|
|
Refer to the [Kubernetes VSO installation guide](/vault/docs/platform/k8s/vso/installation)
|
|
before applying any of the example configurations below.
|
|
|
|
```yaml
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: HCPAuth
|
|
metadata:
|
|
name: hcp-auth
|
|
namespace: vso-example-ns
|
|
spec:
|
|
organizationID: xxxxxxxx-76e9-4e17-b5e9-xxxxxxxx4c33
|
|
projectID: xxxxxxxx-bd16-443f-a266-xxxxxxxxcb52
|
|
servicePrincipal:
|
|
secretRef: vso-app-sp
|
|
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: HCPVaultSecretsApp
|
|
metadata:
|
|
name: vso-app
|
|
namespace: vso-example-ns
|
|
spec:
|
|
appName: vso-app
|
|
hcpAuthRef: hcp-auth
|
|
destination:
|
|
create: true
|
|
name: vso-app-secret
|
|
```
|
|
|
|
@include 'vso/blurb-api-reference.mdx'
|