Vault Dynamic Secret
The VaultDynamicSecret
Generator provides an interface to HashiCorp Vault's
Secrets engines. Specifically,
it enables obtaining dynamic secrets not covered by the
HashiCorp Vault provider.
Any Vault authentication method supported by the provider can be used here
(provider
block of the spec).
All secrets engines should be supported by providing matching path
, method
and parameters
values to the Generator spec (see example below).
Exact output keys and values depend on the Vault secret engine used; nested values are stored into the resulting Secret in JSON format.
Example manifest
apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
metadata:
name: "pki-example"
spec:
path: "/pki/issue/example-dot-com"
method: "POST"
parameters:
common_name: "localhost"
ip_sans: "127.0.0.1,127.0.0.11"
provider:
server: "http://vault.default.svc.cluster.local:8200"
auth:
kubernetes:
mountPath: "kubernetes"
role: "external-secrets-operator"
serviceAccountRef:
name: "default"
Example ExternalSecret
that references the Vault generator:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "pki-example-com"
spec:
refreshInterval: "768h"
target:
name: pki-example-com
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
name: "pki-example"