HCP Vault Secrets with Vault Secrets Operator for Kubernetes
The Vault Secrets Operator is a Kubernetes operator that continuously fetches secrets from HCP Vault Secrets and creates native Kubernetes secrets. Kubernetes workloads and users do not need to update workflows to adopt HCP Vault Secrets.
The Vault Secrets Operator syncs secrets between HCP Vault Secrets and Kubernetes secrets in a specified namespace, enabling applications within that namespace to access these secrets, while HCP Vault Secrets retains management control.
https://portal.cloud.hashicorp.com/services/secrets (opens in a new tab)
Prerequisites
- HCP Account: Ensure you have an existing HCP account.
- HCP Vault Secrets Setup: Complete the previous HCP Vault Secrets tutorials.
- Service Principal: HCP service principal must be created at the org level, with
HCP_CLIENT_IDandHCP_CLIENT_SECRET. - Minikube: Installed to create a local Kubernetes cluster.
- Helm: Installed for deploying the Vault Secrets Operator.
Lab Setup
-
Set Environment Variables
Ensure your HCP Vault Secrets environment details are set as environment variables.
echo ID=$HCP_CLIENT_ID\\nSecret=$HCP_CLIENT_SECRETID=FxqJRZabCd3fGh1jKaKVMybay3m Secret=HoaxKFvG8QenprS3asam3stQnJbSXWWM5ab3rt4F2qWXbja33rnie -
Retrieve HCP Organization ID and Project ID
hcp profile displayname = "default" organization_id = "ab35ef-8d87-4443-a8a8-s3asam3st" project_id = "ab35ef-d3f4-4fda-b245-s3asam3st" -
Set Environment Variables
export HCP_ORG_ID=$(hcp profile display --format=json | jq -r .OrganizationID) export HCP_PROJECT_ID=$(hcp profile display --format=json | jq -r .ProjectID) export APP_NAME=$(hcp profile display --format=json | jq -r .VaultSecrets.AppName) -
Start Minikube
Start Minikube to provision and manage the lifecycle of a single-node Kubernetes cluster locally.
minikube start -
Verify Minikube Status
minikube status
Configure Kubernetes
-
Add the HashiCorp Helm Repository
helm repo add hashicorp https://helm.releases.hashicorp.com helm repo update hashicorp -
Install Vault Secrets Operator
helm install vault-secrets-operator hashicorp/vault-secrets-operator \ --namespace vault-secrets-operator-system \ --create-namespaceExpected Output:
NAME: vault-secrets-operator LAST DEPLOYED: ... NAMESPACE: vault-secrets-operator-system STATUS: deployed REVISION: 1 -
Create Kubernetes Secret for HCP Service Principal
kubectl create secret generic vso-demo-sp \ --namespace default \ --from-literal=clientID=$HCP_CLIENT_ID \ --from-literal=clientSecret=$HCP_CLIENT_SECRETExpected Output:
secret/vso-demo-sp created -
Configure Vault Secrets Operator with HCP Organization and Project ID
kubectl create -f - <<EOF --- apiVersion: secrets.hashicorp.com/v1beta1 kind: HCPAuth metadata: name: default namespace: vault-secrets-operator-system spec: organizationID: $HCP_ORG_ID projectID: $HCP_PROJECT_ID servicePrincipal: secretRef: vso-demo-sp EOFExpected Output:
hcpauth.secrets.hashicorp.com/default created
Creating Secrets
-
Verify Available Kubernetes Secrets
kubectl get secrets -
Create Kubernetes Secret from HCP Vault Secret
kubectl create -f - <<EOF apiVersion: secrets.hashicorp.com/v1beta1 kind: HCPVaultSecretsApp metadata: name: web-application namespace: default spec: appName: $APP_NAME destination: create: true labels: hvs: "true" name: web-application refreshAfter: 1h EOFExpected Output:
hcpvaultsecretsapp.secrets.hashicorp.com/web-application created -
Verify Created Secrets
kubectl get secrets -
Retrieve and Decode Secret
kubectl get secrets web-application -o jsonpath='{.data.username}' | base64 --decodeOutput:
db-user
Your applications can now consume these secrets natively in Kubernetes by mounting the secret in a data volume or as an environment variable.