Hi, I’m trying to understand how to have an Operator instance getting secrets from a remote Vault, running on a different K8s cluster.
-
according to the documentation available, I have to set the vault hostname on the property defaultVaultConnection.address on the Helm chart, but I can’t understand where should I store the token that grants access;
-
we’re currently making tests with the root user; is there a way to create an unprivileged user and limiting its access to a specific role in order to limit the secrets it can access, and how can I create it?
-
we’re able to connect using Vault CLI and to get any secret available from remote; does Vault Operator consume the Vault APIs just like Vault CLI does? Can I expect that when Vault CLI works, Operator will work too?
Thanks in advance for advice
Thanks everybody, solved in 5 minutes by using External Secrets Operator, it works with 0 hassle like a charm.
It was really like a fresh breath of air after about 2 weeks spent reading tons of incomprehensible pages of documentation and trying to make the examples work in vain because of the differences present in the latest versions.
Cheers!
Hey @Maulinuxops!
For Vault Secrets Operator, the Vault cluster definition can be defined using the Helm Chart values for a default connection.
defaultVaultConnection.enabled="true"
defaultVaultConnection.address="https://vault.example.com"
If you don’t want to set a default cluster at the operator level, you can specify individual clusters via the VaultConnection CRD. Then you can reference this cluster in the other CRDs.
From there, authentication is done through the VaultAuth CRD. On the Vault Server side of things, you will need to enable and configure an auth engine, typically either the kubernetes or jwt auth engines. You also need to set up a role on the engine, and assign it specific policies to access secrets. This is how the Operator will authenticate into Vault, in order to pull secrets and store them into Kubernetes secrets.
I recently built a local one-click (terraform apply) demo for the Vault Secrets Operator. Feel free to dig into the Terraform that sets up the demo environment.
If you want a more hands on tutorial, rather than a one-click demo be sure to checkout the Vault Secrets Operator tutorial.