Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Improve Hashicorp Vault PushSecret documentation (#2679)

Signed-off-by: Joan Miquel Luque Oliver <joan.luque@dynatrace.com>
Joan Miquel Luque 2 years ago
parent
e85b76f1d3
commit
bb26bf8ff3
2 changed files with 19 additions and 10 deletions
Unified View Show Diff Stats
  1. 6 3
      docs/provider/hashicorp-vault.md
  2. 13 7
      docs/snippets/vault-pushsecret.yaml

+ 6 - 3
docs/provider/hashicorp-vault.md
View File 

@@ -396,15 +396,18 @@ This approach assumes that appropriate IRSA setup is done controller's pod (i.e.
 
 **NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
 
 **NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
 
 
 
 ### PushSecret
 
 ### PushSecret
 
-Vault supports PushSecret features which allow you to sync a given kubernetes secret key into a hashicorp vault secret. In order to do so, it is expected that the secret key is a valid JSON object.
 
 
 
-In order to use PushSecret, you need to give `create`, `read` and `update` permissions to the path where you want to push secrets to for both `data` and `metadata` of the secret. Use it with care!
 
+Vault supports PushSecret features which allow you to sync a given Kubernetes secret key into a Hashicorp vault secret. To do so, it is expected that the secret key is a valid JSON object or that the `property` attribute has been specified under the `remoteRef`.
 
+To use PushSecret, you need to give `create`, `read` and `update` permissions to the path where you want to push secrets for both `data` and `metadata` of the secret. Use it with care!
 
+
 
+Here is an example of how to set up `PushSecret`:
 
 
 
-Here is an example on how to set it up:
 
 ```yaml
 
 ```yaml
 
 {% include 'vault-pushsecret.yaml' %}
 
 {% include 'vault-pushsecret.yaml' %}
 
 ```
 
 ```
 
 
 
+Note that in this example, we are generating two secrets in the target vault with the same structure but using different input formats.
 
+
 
 ### Vault Enterprise
 
 ### Vault Enterprise
 
 
 
 #### Eventual Consistency and Performance Standby Nodes
 
 #### Eventual Consistency and Performance Standby Nodes

+ 13 - 7
docs/snippets/vault-pushsecret.yaml
View File 

@@ -4,7 +4,8 @@ metadata:
 
   name: source-secret
 
   name: source-secret
 
   namespace: default
 
   namespace: default
 
 stringData:
 
 stringData:
 
-  source-key: "{\"foo\":\"bar\"}" # Needs to be a JSON
 
+  source-key1: "{\"foo\":\"bar\"}" # Needs to be a JSON
 
+  source-key2: bar  # Could be a plain string
 
 ---
 
 ---
 
 apiVersion: external-secrets.io/v1alpha1
 
 apiVersion: external-secrets.io/v1alpha1
 
 kind: PushSecret
 
 kind: PushSecret
 
@@ -12,15 +13,20 @@ metadata:
 
   name: pushsecret-example
 
   name: pushsecret-example
 
   namespace: default
 
   namespace: default
 
 spec:
 
 spec:
 
-  refreshInterval: 10s # Refresh interval for which push secret will reconcile
 
-  secretStoreRefs: # A list of secret stores to push secrets to
 
+  refreshInterval: 10s
 
+  secretStoreRefs:
 
     - name: vault-secretstore
 
     - name: vault-secretstore
 
       kind: SecretStore
 
       kind: SecretStore
 
   selector:
 
   selector:
 
     secret:
 
     secret:
 
-      name: source-secret # Source Kubernetes secret to be pushed
 
+      name: source-secret
 
   data:
 
   data:
 
     - match:
 
     - match:
 
-        secretKey: source-key # Source Kubernetes secret key containing the vault secret (in JSON format)
 
-        remoteRef:
 
-          remoteKey: vault/secret # path to vault secret. This path is appended with the vault-store path.
 
+      secretKey: source-key1
 
+      remoteRef:
 
+        remoteKey: vault/secret1
 
+    - match:
 
+      secretKey: source-key2
 
+      remoteRef:
 
+        remoteKey: vault/secret2
 
+        property: foo