mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-12 09:37:02 +02:00
205680c077
* add docs for configuring jwt validation pubkeys for vso and update jwt auth docs to mention key rotation Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
66 lines
2.5 KiB
Plaintext
66 lines
2.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Secrets Operator Examples
|
|
description: >-
|
|
The Vault Secrets Operator allows Pods to consume Vault secrets natively from Kubernetes Secrets.
|
|
---
|
|
|
|
# Vault Secrets Operator examples
|
|
|
|
The Operator project provides the following examples:
|
|
- Sample use-cases are documented [here](https://github.com/hashicorp/vault-secrets-operator#samples)
|
|
- A Terraform based demo can be found [here](https://github.com/hashicorp/vault-secrets-operator/tree/main/demo)
|
|
|
|
## JWT auth for Kubernetes clusters in private networks
|
|
|
|
Vault Secrets Operator supports using the [JWT auth method](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigjwt).
|
|
JWT auth [verifies tokens](/vault/docs/auth/jwt#jwt-verification) using the issuer's public signing key.
|
|
Vault supports fetching this public key from the Kubernetes API, but if users can't expose the Kubernetes API to Vault, the public key can be provided directly using [`jwt_validation_pubkeys`](/vault/api-docs/auth/jwt#jwt_validation_pubkeys).
|
|
To configure this please follow the steps outlined for [Using JWT validation public keys](/vault/docs/auth/jwt/oidc-providers/kubernetes#using-jwt-validation-public-keys)
|
|
|
|
## Using VaultStaticSecrets for imagePullSecrets
|
|
|
|
Vault Secret Operator supports Kubernetes' templating of Secrets based on their
|
|
Secret [Type](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) by setting the
|
|
`Destination.Type` field of the VaultStaticSecret. Users who have configured private container registries
|
|
can use the `kubernetes.io/dockerconfigjson` or `kubernetes.io/dockerconfig` types to appropriately format
|
|
a Kubernetes secret with the contents of their Vault KV Secret.
|
|
|
|
```shell
|
|
# Write the secret to Vault:
|
|
$ vault kv put kvv2/docker/config .dockerconfigjson=`cat ~/.docker/config.json`
|
|
```
|
|
|
|
```yaml
|
|
# Apply a VaultStaticSecret which populates the k8s secret named 'myregistryKey' in the applications namespace
|
|
# Note: this Secret uses the `default` VaultAuthMethod.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
namespace: awesomeapps
|
|
name: vault-kv-app
|
|
spec:
|
|
type: kv-v2
|
|
mount: kvv2
|
|
path: docker/config
|
|
# dest k8s secret
|
|
destination:
|
|
name: myregistryKey
|
|
create: true
|
|
type: "kubernetes.io/dockerconfigjson"
|
|
---
|
|
# Example pod from
|
|
# https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: foo
|
|
namespace: awesomeapps
|
|
spec:
|
|
containers:
|
|
- name: foo
|
|
image: janedoe/awesomeapp:v1
|
|
imagePullSecrets:
|
|
- name: myregistrykey
|
|
```
|