32 lines
1.1 KiB
YAML
32 lines
1.1 KiB
YAML
# ClusterSecretStore for HashiCorp Vault (KV v2) using Kubernetes auth.
|
|
#
|
|
# Do not apply until Vault is running, reachable from the cluster, and configured with:
|
|
# - Kubernetes auth at mountPath (default: kubernetes)
|
|
# - A role (below: external-secrets) bound to this service account:
|
|
# name: external-secrets
|
|
# namespace: external-secrets
|
|
# - A policy allowing read on the KV path used below (e.g. secret/data/* for path "secret")
|
|
#
|
|
# Adjust server, mountPath, role, and path to match your Vault deployment. If Vault uses TLS
|
|
# with a private CA, set provider.vault.caProvider or caBundle (see README).
|
|
#
|
|
# kubectl apply -f clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml
|
|
---
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ClusterSecretStore
|
|
metadata:
|
|
name: vault
|
|
spec:
|
|
provider:
|
|
vault:
|
|
server: "http://vault.vault.svc.cluster.local:8200"
|
|
path: secret
|
|
version: v2
|
|
auth:
|
|
kubernetes:
|
|
mountPath: kubernetes
|
|
role: external-secrets
|
|
serviceAccountRef:
|
|
name: external-secrets
|
|
namespace: external-secrets
|