Prime feature only
This feature is only available with a Prime subscription. See plans or contact sales.
Retrieving Secrets from OpenBao
Applications running on spoke clusters can easily access OpenBao secrets within their team’s dedicated secrets engine. An appropriate External Secrets Operator (ESO) SecretStore is automatically deployed in each application namespace and configured with permissions to read from the team’s OpenBao path.
To use it, simply create an ExternalSecret resource that references the provided SecretStore named openbao-backend.
For example this ExternalSecret example-es by the team my-team can retrieve the secret kv/my-team/my-secret via the SecretStore openbao-backend:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example-es
spec:
refreshInterval: "15s"
secretStoreRef:
name: openbao-backend
kind: SecretStore
target:
name: example
template:
data:
my-password: "{{ .password }}"
data:
- secretKey: password
remoteRef:
key: kv/my-team/my-secret
property: password
Background
The SecretStore resource is automatically created by the following Kyverno policy: policy-add-vault-secretstore-with-kubernetes-auth.yaml.