HCP Vault Secrets source
Overview
The Vault secrets operator (VSO) syncs your HCP Vault Secrets app (HVSA) to
a Kubernetes Secret. Vault syncs each HCPVaultSecretsApp
custom resource periodically to ensure that
changes to the secret source are properly reflected in the Kubernetes secret.
Features
- Periodic synchronization of HCP Vault Secrets app to a destination Kubernetes Secret.
- Automatic drift detection and remediation when the destination Kubernetes Secret is modified or deleted.
- Supports all VSO features, including rollout-restarts on secret rotation or during drift remediation.
- Supports authentication to HCP using HCP service principals.
Supported HCP authentication methods
Backend | Description |
---|---|
HCP Service Principals | Relies on static credentials for authenticating to HCP |
HCP Vault Secrets sync example
The following Kubernetes configuration can be used to sync the HCP Vault Secrets app, vso-example
,
to the Kubernetes Secret, vso-app-secret
, in the vso-example-ns
Kubernetes Namespace. It assumes that
you have already setup service principal Kubernetes secret,
and have created the HCP Vault Secrets app.
Use the following Kubernetes configuration to sync your HCP Vault Secrets app, vso-example
,
to the Kubernetes secret, vso-app-secret
, in the vso-example-ns
Kubernetes namespace.
The example configuration assumes you already a HCP Vault Secrets app created and have your
service principal Kubernetes secret
configured.
Refer to the Kubernetes VSO installation guide before applying any of the example configurations below.
For more details on any of the custom resources mentioned here, please see the api-reference.
Tutorial
Refer to the HCP Vault Secrets with Vault Secrets Operator for Kubernetes tutorial to learn the end-to-end workflow using the Vault Secrets Operator.