Skip to main content
Version: next
Prime feature only
This feature is only available with a Prime subscription. See plans or contact sales.

Retrieving Secrets from Vault

Applications running on spoke clusters can easily access Vault secrets within their team’s dedicated secrets engine. An appropriate External Secrets Operator (ESO) SecretStore is automatically deployed in each application namespace and configured with permissions to read from the team’s Vault path.

To use it, simply create an ExternalSecret resource that references the provided SecretStore named vault-backend.

For example this ExternalSecret example-es by the team my-team can retrieve the secret kv/my-team/my-secret via the SecretStore vault-backend:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: example-es
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: example
    template:
      data:
        my-password: "{{ .password }}"
  data:
  - secretKey: password
    remoteRef:
      key: kv/my-team/my-secret
      property: password

Background

The SecretStore resource is automatically created by the following Kyverno policy: policy-add-vault-secretstore-with-kubernetes-auth.yaml.

Last updated on by phac008