Skip to content

Version 1.9.0 / 2020-11-14

Compare
Choose a tag to compare
@ricoberger ricoberger released this 14 Nov 15:23

Templated Secrets (#53 by @bartmeuris)

This version add support for templated secrets to the Vault Secrets Operator. When you set the new value spec.templates in the CR, the secrets loaded from Vault are passed to the specified templates. The following values are passed to the template:

  • .Secrets: Map with all the secrets fetched from vault. Key = secret name, Value = secret value
  • .Vault: Contains misc info about the Vault setup
    • .Vault.Address: configured address of the Vault instance
    • .Vault.Path: path of the Vault secret that was fetched
  • .Namespace: Namespace where the custom resource instance was deployed.
  • .Labels: access to the labels of the custom resource instance
  • .Annotations: access to the annotations of the custom resource instance

For the following example we are creating a new Vault secret containing a username and password, which are used for a database connection string:

vault kv put kvv2/mongodb-credentials username=foo password=bar
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
  name: mongodb-connection-string
spec:
  path: kvv2/mongodb-credentials
  templates:
    mongodbConnectionString: "mongodb://{% .Secrets.username %}:{% .Secrets.password %}@mongodb.{% .Namespace %}.svc.cluster.local:27017"
  type: Opaque

More examples can be found in the readme under Using templated secrets.

Thanks to @bartmeuris for his PR #53.