Integrate External Secrets Operator with HashiCorp Vault in Tanzu Application Platform
This topic shows you how to integrate External Secrets Operator with HashiCorp Vault in Tanzu Application Platform.
The operator synchronizes secret data from external APIs to a Kubernetes secret resource. For more information about Kubernetes secret resources, see the Kubernetes documentation.
ImportantThis example integration is constructed to showcase the features available and must not be considered in a production environment.
Prerequisites
Before proceeding with this example, you must:
-
Install External Secrets Operator. For more information, see Install External Secrets Operator.
-
Install the Tanzu CLI. The Tanzu CLI includes the plug-in
external-secrets. For Tanzu CLI installation, see Tanzu CLI. -
Have a running instance of HashiCorp Vault. In this instance, there is a secret defined with the key
eso-demo/reg-cred.
Set up the integration
To set up the External Secrets Operator integration with HashiCorp Vault:
-
Create a
Secretwith the vault token. For example:VAULT_TOKEN="vault-token-value" cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: vault-token stringData: token: $VAULT_TOKEN EOF -
Create a
SecretStoreresource referencing thevault-tokensecret. For example:Caution
When creating the
SecretStore, ensure that you match the Vault KV secret engine version. This is eitherv1orv2. The default isv2. For more information, see Vault KV Secrets Engine documentation.VAULT_SERVER="http://my.vault.server:8200" VAULT_PATH="eso-demo" cat <<EOF | tanzu external-secrets store create -y -f - --- apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: vault-secret-store spec: provider: vault: server: $VAULT_SERVER path: $VAULT_PATH version: v2 auth: tokenSecretRef: name: "vault-token" # vault-token created in the previous step key: "token" EOFImportant
If you are using a secret store service with a custom CA certificate then you must provide this certificate to External Secret Operator directly by including the CA
SecretStoreorClusterSecretStoreresource.The Tanzu Application Platform distribution of External Secret Operator does not support the Tanzu Application Platform field
shared.ca_cert_data. For more information about setting the CA in the ESO configuration, see the ESO documentation. -
Verify that the status of the
SecretStoreresource isValidby running:tanzu external-secrets store listExample output:
NAMESPACE NAME PROVIDER STATUS default vault-secret-store Hashicorp Vault Valid -
Create an
ExternalSecretresource that uses theSecretStoreyou just created by running:cat <<EOF | tanzu external-secrets secret create -y -f - --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: vault-secret-example spec: refreshInterval: 15m secretStoreRef: name: vault-secret-store kind: SecretStore target: name: registry-secret template: type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: "{{ .registryCred | toString }}" creationPolicy: Owner data: - secretKey: registryCred remoteRef: key: $VAULT_PATH/eso-demo property: reg-cred EOF -
Verify that the status of the
ExternalSecretresource isValidby running:tanzu external-secrets secret listExample output:
NAMESPACE NAME SECRET NAME STORE REFRESH INTERVAL STATUS LAST UPDATED LAST REFRESH default vault-secret-example registry-secret vault-secret-store 15m SecretSynced 21s 10m -
After the resource has reconciled, a Kubernetes
secretresource is created. Look for a secret namedregistry-secretcreated by the referencedExternalSecret. For example:kubectl get secrets registry-secret -o="jsonpath={.data.\.dockerconfigjson}" | base64 -D {"auths":{"my-registry.example:8200":{"username":"foo","password":"bar4","email":"[email protected]","auth":"Zm9vOmJhcjQ="}}}
