mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-23 07:31:09 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
69 lines
3.0 KiB
Plaintext
69 lines
3.0 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Secrets Operator examples
|
|
description: >-
|
|
Vault Secrets Operator usage examples to consume Vault secrets natively from Kubernetes Secrets.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Vault Secrets Operator examples
|
|
|
|
The Operator project provides the following examples:
|
|
- Sample use-cases are documented [here](https://github.com/hashicorp/vault-secrets-operator#samples)
|
|
- A Terraform based demo can be found [here](https://github.com/hashicorp/vault-secrets-operator/tree/main/demo)
|
|
|
|
## JWT auth for Kubernetes clusters in private networks
|
|
|
|
Vault Secrets Operator supports using the [JWT auth method](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigjwt).
|
|
JWT auth [verifies tokens](/vault/docs/auth/jwt#jwt-verification) using the issuer's public signing key.
|
|
Vault supports fetching this public key from the Kubernetes API, but if users can't expose the Kubernetes API to Vault, the public key can be provided directly using [`jwt_validation_pubkeys`](/vault/api-docs/auth/jwt#jwt_validation_pubkeys).
|
|
To configure this please follow the steps outlined for [Using JWT validation public keys](/vault/docs/auth/jwt/oidc-providers/kubernetes#using-jwt-validation-public-keys)
|
|
|
|
## Using VaultStaticSecrets for imagePullSecrets
|
|
|
|
Vault Secret Operator supports Kubernetes' templating of Secrets based on their
|
|
Secret [Type](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) by setting the
|
|
`Destination.Type` field of the VaultStaticSecret. Users who have configured private container registries
|
|
can use the `kubernetes.io/dockerconfigjson` or `kubernetes.io/dockerconfig` types to appropriately format
|
|
a Kubernetes secret with the contents of their Vault KV Secret.
|
|
|
|
```shell
|
|
# Write the secret to Vault:
|
|
$ vault kv put kvv2/docker/config .dockerconfigjson=`cat ~/.docker/config.json`
|
|
```
|
|
|
|
```yaml
|
|
# Apply a VaultStaticSecret which populates the k8s secret named 'myregistryKey' in the applications namespace
|
|
# Note: this Secret uses the `default` VaultAuthMethod.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
namespace: awesomeapps
|
|
name: vault-kv-app
|
|
spec:
|
|
type: kv-v2
|
|
mount: kvv2
|
|
path: docker/config
|
|
# dest k8s secret
|
|
destination:
|
|
name: myregistryKey
|
|
create: true
|
|
type: "kubernetes.io/dockerconfigjson"
|
|
---
|
|
# Example pod from
|
|
# https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: foo
|
|
namespace: awesomeapps
|
|
spec:
|
|
containers:
|
|
- name: foo
|
|
image: janedoe/awesomeapp:v1
|
|
imagePullSecrets:
|
|
- name: myregistrykey
|
|
```
|