| layout | page_title | description |
|---|---|---|
docs |
Vault Secrets Operator Examples |
The Vault Secrets Operator allows Pods to consume Vault secrets natively from Kubernetes Secrets. |
The Operator project provides the following examples:
Vault Secrets Operator supports using the JWT auth method.
JWT auth verifies tokens using the issuer's public signing key.
Vault supports fetching this public key from the Kubernetes API, but if users can't expose the Kubernetes API to Vault, the public key can be provided directly using jwt_validation_pubkeys.
To configure this please follow the steps outlined for Using JWT validation public keys
Vault Secret Operator supports Kubernetes' templating of Secrets based on their
Secret Type by setting the
Destination.Type field of the VaultStaticSecret. Users who have configured private container registries
can use the kubernetes.io/dockerconfigjson or kubernetes.io/dockerconfig types to appropriately format
a Kubernetes secret with the contents of their Vault KV Secret.
# Write the secret to Vault:
$ vault kv put kvv2/docker/config .dockerconfigjson=`cat ~/.docker/config.json`# Apply a VaultStaticSecret which populates the k8s secret named 'myregistryKey' in the applications namespace
# Note: this Secret uses the `default` VaultAuthMethod.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
namespace: awesomeapps
name: vault-kv-app
spec:
type: kv-v2
mount: kvv2
path: docker/config
# dest k8s secret
destination:
name: myregistryKey
create: true
type: "kubernetes.io/dockerconfigjson"
---
# Example pod from
# https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: awesomeapps
spec:
containers:
- name: foo
image: janedoe/awesomeapp:v1
imagePullSecrets:
- name: myregistrykey