Integrate with Kubernetes

HCP Vault Secrets allows users to automatically synchronize application secrets to a Kubernetes secret using the Vault Secrets Operator (VSO). This guide walks you through the configuration process.

Prerequisites:

• An Admin role in an HCP Project
• An HCP Vault Secrets application and secret(s)
• An HCP Service Principal and keys
• Helm installed

Configuration

1. Add the HashiCorp Helm repository.

   $ helm repo add hashicorp https://helm.releases.hashicorp.com
   

2. Install the Vault Secrets Operator.

   $ helm install vault-secrets-operator hashicorp/vault-secrets-operator \
       --namespace vault-secrets-operator-system \
       --create-namespace
   

3. Create a Kubernetes secret for the HCP service principal credentials.

   $ kubectl create secret generic vso-demo-sp \
       --namespace default \
       --from-literal=clientID=HCP-SERVICE-PRINCIPAL-SECRET \
       --from-literal=clientSecret=HCP-SERVICE-PRINCIPAL-SECRET
   

4. Configure Vault Secrets Operator with the HCP organization and project ID.

   $ kubectl create -f - <<EOF
     ---
     apiVersion: secrets.hashicorp.com/v1beta1
     kind: HCPAuth
     metadata:
       name: default
       namespace: vault-secrets-operator-system
     spec:
       organizationID: HCP-ORG-ID
       projectID: HCP-PROJECT-ID
       servicePrincipal:
         secretRef: vso-demo-sp
     EOF
   

5. Create a Kubernetes secret using the secrets.hashicorp.com/v1beta1 API.

   $ kubectl create -f - <<EOF
     apiVersion: secrets.hashicorp.com/v1beta1
     kind: HCPVaultSecretsApp
     metadata:
       name: hcp-vault-secrets-application-name
       namespace: default
     spec:
       appName: $APP_NAME
       destination:
         create: true
         labels:
           hvs: "true"
         name: hcp-vault-secrets-application-name
       refreshAfter: 1h
     EOF
   

   The secrets in the specified application will be synchronized to a Kubernetes secret.