Create Kubernetes Secrets from HCP Vault Secrets with VSO
The Vault Secrets Operator is a Kubernetes operator that continuously fetches secrets from HCP Vault Secrets and creates native Kubernetes secrets. Kubernetes workloads and users do not need to update workflows to adopt HCP Vault Secrets.
The Vault Secrets Operator syncs the secrets between HCP Vault Secrets and the Kubernetes secrets in a specified namespace. Within that namespace, applications have access to the secrets but the secrets are still managed by HCP Vault Secrets.
Prerequisites
- An existing HCP account
- Completed the previous HCP Vault Secrets tutorials
- HCP service principal created at the org level with
HCP_CLIENT_ID
andHCP_CLIENT_SECRET
available - minikube installed
- Helm installed
Lab setup
To complete this tutorial, you must have information about your HCP Vault Secrets environment set as environment variables.
Verify you have HCP service principal credentials stored as environment variables from the Install HCP CLI for Vault Secrets tutorial.
Retrieve the HCP organization ID and project ID selected during the
hcp profile init
process.Store the
organization_id
in a environment variable.Store the
project_id
in a environment variable.Store the
app
name in a environment variable.Start minikube.
minikube is used to provision and manages the lifecycle of single-node Kubernetes cluster locally to allow you to follow the steps in this tutorial.
The initialization process takes several minutes as it retrieves any necessary dependencies and executes various container images.
Verify the status of the minikube cluster.
Configure Kubernetes
Vault Secrets Operator is deployed using Helm to a Kubernetes environment. To use Vault Secrets Operator with HCP Vault Secrets you must have version 3.1 or higher installed.
Add the HashiCorp Helm repository.
Note
If you already have the HashiCorp Helm repository added, update the repository to ensure you have the latest version of the Vault Secrets Operator.
Install the Vault Secrets Operator.
Example output:
Create a Kubernetes secret for the HCP service principal credentials.
Example output:
Configure Vault Secrets Operator with the HCP organization and project ID.
Example output:
List the available Kubernetes secrets.
The only secret that exists is the secret for the HCP service principal.
Create a Kubernetes secret from the HCP Vault Secret WebApplication created in a previous tutorial. This will include all key/value pairs in the HCP Vault Secrets application.
Example output:
For applications that do not support dynamically reloading rotated secrets, you can also include the
rolloutRestartTargets
parameter. This parameter provides the configuration required to perform a rollout-restart of the supported resources upon Vault Secret rotation.List the available Kubernetes secrets.
web-application
is now listed.Get the
web-application
secret.The
username
secret created in the Create a secret in HCP Vault Secrets is listed as a base64 encoded value.Retrieve and decode the
username
secret.The value
db-user
, which was created in HCP Vault Secrets and synced to a Kubernetes secret using the Vault Secrets Operator, is displayed.Your applications can now consume secrets natively in Kubernetes such as mounting the secret in a data volume or as an environment variable.