DEV Community

Cover image for Vault Secret as an External Secret
Raymond
Raymond

Posted on

1

Vault Secret as an External Secret

This guide to help people who are new to Vault create a Kubernetes Secret through Vault

There are two ways to use Vault Secret:

  • Adding the annotations
  • Use External Secret Operator

External SecretSource: external-secrets.io

I used the second step in this article because I used ArgoCD before and wanted to visualize all the resources I created.

Walkthrough

Create Secret

Enable Secret Engine

Path

Value

Create a Secret for the Vault token

kubectl create secret generic vault-token --from-literal=token=<token>
Enter fullscreen mode Exit fullscreen mode

or

echo -n "token" | base64
Enter fullscreen mode Exit fullscreen mode 
apiVersion: v1
data:
  token: <Encoded Vault Token>
kind: Secret
metadata:
  name: vault-token
type: Opaque
Enter fullscreen mode Exit fullscreen mode

Install External Secrets using Helm

helm repo add external-secrets <https://charts.external-secrets.io>
helm install external-secrets external-secrets/external-secrets
Enter fullscreen mode Exit fullscreen mode

SecretStore

Note

Create secret-store.yaml file

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    vault:
      server: http://<serverAddresss>:<port>
      path: <path> ----- see the picture above
      version: "<version>" ---- See the version near the path above
      auth:
        tokenSecretRef:
          name: vault-token
          key: token
Enter fullscreen mode Exit fullscreen mode

ExternalService

Create external-secret.yaml file

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret
spec:
  refreshInterval: 5m  ------ Time for fetching new values
  secretStoreRef:
    name: secret-store  ------- Secret Store Name 
    kind: SecretStore
  target:
    name: secret-to-be-created   --------- Secret Name
    creationPolicy: Owner
  dataFrom:
  - extract:
      key: "<key>"  ------- See the picture above
Enter fullscreen mode Exit fullscreen mode

It will automatically get all values from Vault Secret and create a new secret if it does not exist.

Preferences

HashiCorp Vault

English is not my first language, and I am not good at it, but I want to improve and enhance my English every day. Writing a blog is the best way I have chosen. Please let me know if there is anything confusing because of my English.

profile
Heroku
 Promoted

Heroku

Deploy with ease. Manage efficiently. Scale faster.

Leave the infrastructure headaches to us, while you focus on pushing boundaries, realizing your vision, and making a lasting impression on your users.

Get Started

Top comments (0)

profile
Checkly
 Promoted

Playwright CLI Flags Tutorial

5 Playwright CLI Flags That Will Transform Your Testing Workflow

  • --last-failed: Zero in on just the tests that failed in your previous run
  • --only-changed: Test only the spec files you've modified in git
  • --repeat-each: Run tests multiple times to catch flaky behavior before it reaches production
  • --forbid-only: Prevent accidental test.only commits from breaking your CI pipeline
  • --ui --headed --workers 1: Debug visually with browser windows and sequential test execution

Learn how these powerful command-line options can save you time, strengthen your test suite, and streamline your Playwright testing experience. Practical examples included!

Watch Video 📹ī¸

👋 Kindness is contagious

Please show some love ❤ī¸ or share a kind word in the comments if you found this useful!

Got it!