|
|
@@ -3070,16 +3070,17 @@ You must have <a href="https://kubernetes.io/docs/tasks/configure-pod-container/
|
|
|
</code></pre></div>
|
|
|
<strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>secretRef</code> with the namespace where the secret resides.</p>
|
|
|
<h3 id="pushsecret">PushSecret</h3>
|
|
|
-<p>Vault supports PushSecret features which allow you to sync a given kubernetes secret key into a hashicorp vault secret. In order to do so, it is expected that the secret key is a valid JSON object.</p>
|
|
|
-<p>In order to use PushSecret, you need to give <code>create</code>, <code>read</code> and <code>update</code> permissions to the path where you want to push secrets to for both <code>data</code> and <code>metadata</code> of the secret. Use it with care!</p>
|
|
|
-<p>Here is an example on how to set it up:
|
|
|
+<p>Vault supports PushSecret features which allow you to sync a given Kubernetes secret key into a Hashicorp vault secret. To do so, it is expected that the secret key is a valid JSON object or that the <code>property</code> attribute has been specified under the <code>remoteRef</code>.
|
|
|
+To use PushSecret, you need to give <code>create</code>, <code>read</code> and <code>update</code> permissions to the path where you want to push secrets for both <code>data</code> and <code>metadata</code> of the secret. Use it with care!</p>
|
|
|
+<p>Here is an example of how to set up <code>PushSecret</code>:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-secret</span>
|
|
|
<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
|
|
|
<span class="nt">stringData</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">source-key</span><span class="p">:</span><span class="w"> </span><span class="s">"{\"foo\":\"bar\"}"</span><span class="w"> </span><span class="c1"># Needs to be a JSON</span>
|
|
|
+<span class="w"> </span><span class="nt">source-key1</span><span class="p">:</span><span class="w"> </span><span class="s">"{\"foo\":\"bar\"}"</span><span class="w"> </span><span class="c1"># Needs to be a JSON</span>
|
|
|
+<span class="w"> </span><span class="nt">source-key2</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bar</span><span class="w"> </span><span class="c1"># Could be a plain string</span>
|
|
|
<span class="nn">---</span>
|
|
|
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
|
|
|
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
|
|
|
@@ -3087,19 +3088,25 @@ You must have <a href="https://kubernetes.io/docs/tasks/configure-pod-container/
|
|
|
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span>
|
|
|
<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
|
|
|
<span class="nt">spec</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
|
|
|
-<span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
|
|
|
+<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span>
|
|
|
+<span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-secretstore</span>
|
|
|
<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
<span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-secret</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-secret</span>
|
|
|
<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-key</span><span class="w"> </span><span class="c1"># Source Kubernetes secret key containing the vault secret (in JSON format)</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
-<span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault/secret</span><span class="w"> </span><span class="c1"># path to vault secret. This path is appended with the vault-store path.</span>
|
|
|
-</code></pre></div></p>
|
|
|
+<span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-key1</span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault/secret1</span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-key2</span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault/secret2</span>
|
|
|
+<span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">foo</span>
|
|
|
+</code></pre></div>
|
|
|
+<p>Note that in this example, we are generating two secrets in the target vault with the same structure but using different input formats.</p>
|
|
|
<h3 id="vault-enterprise">Vault Enterprise</h3>
|
|
|
<h4 id="eventual-consistency-and-performance-standby-nodes">Eventual Consistency and Performance Standby Nodes</h4>
|
|
|
<p>When using Vault Enterprise with <a href="https://www.vaultproject.io/docs/enterprise/consistency#performance-standby-nodes">performance standby nodes</a>,
|
moolen