Vault Secrets Operator examples

The Operator project provides the following examples:

• Sample use-cases are documented here
• A Terraform based demo can be found here

JWT auth for Kubernetes clusters in private networks

Vault Secrets Operator supports using the JWT auth method. JWT auth verifies tokens using the issuer's public signing key. Vault supports fetching this public key from the Kubernetes API, but if users can't expose the Kubernetes API to Vault, the public key can be provided directly using jwt_validation_pubkeys. To configure this please follow the steps outlined for Using JWT validation public keys

Using VaultStaticSecrets for imagePullSecrets

Vault Secret Operator supports Kubernetes' templating of Secrets based on their Secret Type by setting the Destination.Type field of the VaultStaticSecret. Users who have configured private container registries can use the kubernetes.io/dockerconfigjson or kubernetes.io/dockerconfig types to appropriately format a Kubernetes secret with the contents of their Vault KV Secret.

# Write the secret to Vault:
$ vault kv put kvv2/docker/config .dockerconfigjson=`cat ~/.docker/config.json`

# Apply a VaultStaticSecret which populates the k8s secret named 'myregistryKey' in the applications namespace
# Note: this Secret uses the `default` VaultAuthMethod.
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  namespace: awesomeapps
  name: vault-kv-app
spec:
  type: kv-v2
  mount: kvv2
  path: docker/config
  # dest k8s secret
  destination:
    name: myregistryKey
    create: true
    type: "kubernetes.io/dockerconfigjson"
---
# Example pod from
# https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
   - name: myregistrykey