deploy: ab51970242521c6a7fb10ab2f236505bf56ac249

api-secretstore/index.html

@@ -661,12 +661,13 @@ The SecretStore maps to exactly one instance of an external API.</p>
 <span class="nt">spec</span><span class="p">:</span>
 
   <span class="c1"># Used to select the correct ESO controller (think: ingress.ingressClassName)</span>
-  <span class="c1"># The ESO controller is instantiated with a specific controller name and filters ES based on this property</span>
+  <span class="c1"># The ESO controller is instantiated with a specific controller name</span>
+  <span class="c1"># and filters ES based on this property</span>
   <span class="c1"># Optional</span>
   <span class="nt">controller</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev</span>
 
-  <span class="c1"># provider field contains the configuration to access the provider which contains the secret</span>
-  <span class="c1"># exactly one provider must be configured.</span>
+  <span class="c1"># provider field contains the configuration to access the provider</span>
+  <span class="c1"># which contains the secret exactly one provider must be configured.</span>
   <span class="nt">provider</span><span class="p">:</span>
 
     <span class="c1"># (1): AWS Secrets Manager</span>
@@ -688,6 +689,47 @@ The SecretStore maps to exactly one instance of an external API.</p>
             <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
             <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret-access-key</span>
 
+    <span class="nt">vault</span><span class="p">:</span>
+      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
+      <span class="c1"># Path is the mount path of the Vault KV backend endpoint</span>
+      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
+      <span class="c1"># Version is the Vault KV secret engine version.</span>
+      <span class="c1"># This can be either &quot;v1&quot; or &quot;v2&quot;, defaults to &quot;v2&quot;</span>
+      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
+      <span class="c1"># vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces</span>
+      <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;a-team&quot;</span>
+      <span class="nt">caBundle</span><span class="p">:</span> <span class="s">&quot;...&quot;</span>
+      <span class="nt">auth</span><span class="p">:</span>
+        <span class="c1"># static token: https://www.vaultproject.io/docs/auth/token</span>
+        <span class="nt">tokenSecretRef</span><span class="p">:</span>
+          <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+          <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+          <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault-token&quot;</span>
+
+        <span class="c1"># AppRole auth: https://www.vaultproject.io/docs/auth/approle</span>
+        <span class="nt">appRole</span><span class="p">:</span>
+          <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;approle&quot;</span>
+          <span class="nt">roleId</span><span class="p">:</span> <span class="s">&quot;db02de05-fa39-4855-059b-67221c5c2f63&quot;</span>
+          <span class="nt">secretRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault-token&quot;</span>
+
+        <span class="c1"># Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes</span>
+        <span class="nt">kubernetes</span><span class="p">:</span>
+          <span class="nt">mountPath</span><span class="p">:</span> <span class="s">&quot;kubernetes&quot;</span>
+          <span class="nt">role</span><span class="p">:</span> <span class="s">&quot;demo&quot;</span>
+          <span class="c1"># Optional service account reference</span>
+          <span class="nt">serviceAccountRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-sa&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+          <span class="c1"># Optional secret field containing a Kubernetes ServiceAccount JWT</span>
+          <span class="c1"># used for authenticating with Vault</span>
+          <span class="nt">secretRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault&quot;</span>
+
     <span class="c1"># (TODO): add more provider examples here</span>
 
 <span class="nt">status</span><span class="p">:</span>

provider-hashicorp-vault/index.html

@@ -77,6 +77,10 @@
     <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
     <label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
     
+      <a href="#hashicorp-vault" tabindex="1" class="md-skip">
+        Skip to content
+      </a>
+    
     
       <header class="md-header" data-md-component="header">
   <nav class="md-header-nav md-grid">
@@ -525,10 +529,77 @@
     <input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
     
     
+      <label class="md-nav__link md-nav__link--active" for="__toc">
+        HashiCorp Vault
+      </label>
+    
     <a href="./" title="HashiCorp Vault" class="md-nav__link md-nav__link--active">
       HashiCorp Vault
     </a>
     
+      
+<nav class="md-nav md-nav--secondary">
+  
+  
+  
+    <label class="md-nav__title" for="__toc">Table of contents</label>
+    <ul class="md-nav__list" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#hashicorp-vault" class="md-nav__link">
+    Hashicorp Vault
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#authentication" class="md-nav__link">
+    Authentication
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#token-based-authentication" class="md-nav__link">
+    Token-based authentication
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#approle-authentication-example" class="md-nav__link">
+    AppRole authentication example
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#kubernetes-authentication" class="md-nav__link">
+    Kubernetes authentication
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+      
+      
+      
+      
+    </ul>
+  
+</nav>
+    
   </li>
 
         
@@ -640,6 +711,75 @@
               </div>
             
             
+              <div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
+                <div class="md-sidebar__scrollwrap">
+                  <div class="md-sidebar__inner">
+                    
+<nav class="md-nav md-nav--secondary">
+  
+  
+  
+    <label class="md-nav__title" for="__toc">Table of contents</label>
+    <ul class="md-nav__list" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#hashicorp-vault" class="md-nav__link">
+    Hashicorp Vault
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#authentication" class="md-nav__link">
+    Authentication
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#token-based-authentication" class="md-nav__link">
+    Token-based authentication
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#approle-authentication-example" class="md-nav__link">
+    AppRole authentication example
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#kubernetes-authentication" class="md-nav__link">
+    Kubernetes authentication
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+      
+      
+      
+      
+    </ul>
+  
+</nav>
+                  </div>
+                </div>
+              </div>
+            
           
           <div class="md-content">
             <article class="md-content__inner md-typeset">
@@ -650,12 +790,109 @@
                 
                   <h1>HashiCorp Vault</h1>
                 
-                <div class="admonition bug">
-<p class="admonition-title">Not implemented</p>
-<p>This is currently <strong>not yet</strong> implemented. Feel free
-to contribute. Please see <a href="https://github.com/external-secrets/external-secrets/issues/21">issue#21</a>
-for futher information.</p>
-</div>
+                <p><img alt="HCP Vault" src="../pictures/diagrams-provider-vault.png" /></p>
+<h2 id="hashicorp-vault">Hashicorp Vault</h2>
+<p>External Secrets Operator integrates with <a href="https://www.vaultproject.io/">HashiCorp Vault</a> for secret
+management. Vault itself implements lots of different secret engines, as of now we only support the
+<a href="https://www.vaultproject.io/docs/secrets/kv">KV Secrets Engine</a>.</p>
+<h3 id="authentication">Authentication</h3>
+<p>We support three different modes for authentication:
+<a href="https://www.vaultproject.io/docs/auth/token">token-based</a>,
+<a href="https://www.vaultproject.io/docs/auth/approle">appRole</a> and
+<a href="https://www.vaultproject.io/docs/auth/kubernetes">kubernetes-native</a>, each one comes with it's own
+trade-offs. Depending on the authentication method you need to adapt your environment.</p>
+<h4 id="token-based-authentication">Token-based authentication</h4>
+<p>A static token is stored in a <code>Kind=Secret</code> and is used to authenticate with vault.</p>
+<div class="highlight"><pre><span></span><span class="nt">apiVerson</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
+  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="nt">vault</span><span class="p">:</span>
+      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
+      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
+      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
+      <span class="nt">auth</span><span class="p">:</span>
+        <span class="c1"># points to a secret that contains a vault token</span>
+        <span class="c1"># https://www.vaultproject.io/docs/auth/token</span>
+        <span class="nt">tokenSecretRef</span><span class="p">:</span>
+          <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+          <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+          <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault-token&quot;</span>
+</pre></div>
+
+<h4 id="approle-authentication-example">AppRole authentication example</h4>
+<p><a href="https://www.vaultproject.io/docs/auth/approle">AppRole authentication</a> reads the secret id from a
+<code>Kind=Secret</code> and uses the specified <code>roleId</code> to aquire a temporary token to fetch secrets.</p>
+<div class="highlight"><pre><span></span><span class="nt">apiVerson</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
+  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="nt">vault</span><span class="p">:</span>
+      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
+      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
+      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
+      <span class="nt">auth</span><span class="p">:</span>
+        <span class="c1"># VaultAppRole authenticates with Vault using the</span>
+        <span class="c1"># App Role auth mechanism</span>
+        <span class="c1"># https://www.vaultproject.io/docs/auth/approle</span>
+        <span class="nt">appRole</span><span class="p">:</span>
+          <span class="c1"># Path where the App Role authentication backend is mounted</span>
+          <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;approle&quot;</span>
+          <span class="c1"># RoleID configured in the App Role authentication backend</span>
+          <span class="nt">roleId</span><span class="p">:</span> <span class="s">&quot;db02de05-fa39-4855-059b-67221c5c2f63&quot;</span>
+          <span class="nt">secretRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault-token&quot;</span>
+</pre></div>
+
+<h4 id="kubernetes-authentication">Kubernetes authentication</h4>
+<p><a href="https://www.vaultproject.io/docs/auth/kubernetes">Kubernetes-native authentication</a> has three
+options of optaining credentials for vault:</p>
+<ol>
+<li>by using a service account jwt referenced in <code>serviceAccountRef</code></li>
+<li>by using the jwt from a <code>Kind=Secret</code> referenced by the <code>secretRef</code></li>
+<li>by using transient credentials from the mounted service account token within the
+    external-secrets operator</li>
+</ol>
+<div class="highlight"><pre><span></span><span class="nt">apiVerson</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
+  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="nt">vault</span><span class="p">:</span>
+      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
+      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
+      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
+      <span class="nt">auth</span><span class="p">:</span>
+        <span class="c1"># Authenticate against Vault using a Kubernetes ServiceAccount</span>
+        <span class="c1"># token stored in a Secret.</span>
+        <span class="c1"># https://www.vaultproject.io/docs/auth/kubernetes</span>
+        <span class="nt">kubernetes</span><span class="p">:</span>
+          <span class="c1"># Path where the Kubernetes authentication backend is mounted in Vault</span>
+          <span class="nt">mountPath</span><span class="p">:</span> <span class="s">&quot;kubernetes&quot;</span>
+          <span class="c1"># A required field containing the Vault Role to assume.</span>
+          <span class="nt">role</span><span class="p">:</span> <span class="s">&quot;demo&quot;</span>
+          <span class="c1"># Optional service account field containing the name</span>
+          <span class="c1"># of a kubernetes ServiceAccount</span>
+          <span class="nt">serviceAccountRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-sa&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+          <span class="c1"># Optional secret field containing a Kubernetes ServiceAccount JWT</span>
+          <span class="c1">#  used for authenticating with Vault</span>
+          <span class="nt">secretRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
+            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault&quot;</span>
+</pre></div>
                 
                   
                 

sitemap.xml

@@ -2,97 +2,97 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
     <url>
      <loc>None</loc>
-     <lastmod>2021-05-12</lastmod>
+     <lastmod>2021-05-13</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>

snippets/full-secret-store.yaml

@@ -6,12 +6,13 @@ metadata:
 spec:
 
   # Used to select the correct ESO controller (think: ingress.ingressClassName)
-  # The ESO controller is instantiated with a specific controller name and filters ES based on this property
+  # The ESO controller is instantiated with a specific controller name
+  # and filters ES based on this property
   # Optional
   controller: dev
 
-  # provider field contains the configuration to access the provider which contains the secret
-  # exactly one provider must be configured.
+  # provider field contains the configuration to access the provider
+  # which contains the secret exactly one provider must be configured.
   provider:
 
     # (1): AWS Secrets Manager
@@ -33,6 +34,47 @@ spec:
             name: awssm-secret
             key: secret-access-key
 
+    vault:
+      server: "https://vault.acme.org"
+      # Path is the mount path of the Vault KV backend endpoint
+      path: "secret"
+      # Version is the Vault KV secret engine version.
+      # This can be either "v1" or "v2", defaults to "v2"
+      version: "v2"
+      # vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
+      namespace: "a-team"
+      caBundle: "..."
+      auth:
+        # static token: https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "my-secret"
+          namespace: "secret-admin"
+          key: "vault-token"
+
+        # AppRole auth: https://www.vaultproject.io/docs/auth/approle
+        appRole:
+          path: "approle"
+          roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "vault-token"
+
+        # Kubernetes auth: https://www.vaultproject.io/docs/auth/kubernetes
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "demo"
+          # Optional service account reference
+          serviceAccountRef:
+            name: "my-sa"
+            namespace: "secret-admin"
+          # Optional secret field containing a Kubernetes ServiceAccount JWT
+          # used for authenticating with Vault
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "vault"
+
     # (TODO): add more provider examples here
 
 status:

snippets/vault-approle-store.yaml

@@ -0,0 +1,24 @@
+apiVerson: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: vault-backend
+  namespace: example
+spec:
+  provider:
+    vault:
+      server: "https://vault.acme.org"
+      path: "secret"
+      version: "v2"
+      auth:
+        # VaultAppRole authenticates with Vault using the
+        # App Role auth mechanism
+        # https://www.vaultproject.io/docs/auth/approle
+        appRole:
+          # Path where the App Role authentication backend is mounted
+          path: "approle"
+          # RoleID configured in the App Role authentication backend
+          roleId: "db02de05-fa39-4855-059b-67221c5c2f63"
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "vault-token"

snippets/vault-kubernetes-store.yaml

@@ -0,0 +1,31 @@
+apiVerson: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: vault-backend
+  namespace: example
+spec:
+  provider:
+    vault:
+      server: "https://vault.acme.org"
+      path: "secret"
+      version: "v2"
+      auth:
+        # Authenticate against Vault using a Kubernetes ServiceAccount
+        # token stored in a Secret.
+        # https://www.vaultproject.io/docs/auth/kubernetes
+        kubernetes:
+          # Path where the Kubernetes authentication backend is mounted in Vault
+          mountPath: "kubernetes"
+          # A required field containing the Vault Role to assume.
+          role: "demo"
+          # Optional service account field containing the name
+          # of a kubernetes ServiceAccount
+          serviceAccountRef:
+            name: "my-sa"
+            namespace: "secret-admin"
+          # Optional secret field containing a Kubernetes ServiceAccount JWT
+          #  used for authenticating with Vault
+          secretRef:
+            name: "my-secret"
+            namespace: "secret-admin"
+            key: "vault"

snippets/vault-token-store.yaml

@@ -0,0 +1,18 @@
+apiVerson: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: vault-backend
+  namespace: example
+spec:
+  provider:
+    vault:
+      server: "https://vault.acme.org"
+      path: "secret"
+      version: "v2"
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "my-secret"
+          namespace: "secret-admin"
+          key: "vault-token"