Working with static secrets (HCP Vault) kubectl create ns app
kubectl create sa app-sa -n app
kubectl create clusterrolebinding vault-client-auth-delegator \
--clusterrole=system:auth-delegator \
--serviceaccount=app:app-sa
kubectl create -f - << EOF apiVersion: v1
kind: Secret
metadata:
name: vault-token
namespace: app
annotations:
kubernetes.io/service-account.name: app-sa
type: kubernetes.io/service-account-token
EOF export TOKEN_REVIEW_JWT=$( kubectl get secret vault-token -n app -o json \ | jq -r ' .data | .token'
| base64 --decode)
export KUBE_CA_CERT=$( kubectl get secret vault-token -n app -o json \ | jq -r ' .data | ."ca.crt"'
| base64 --decode)
export KUBE_HOST=$( kubectl config view --raw --minify --flatten \ -o jsonpath=' {.clusters[].cluster.server}' ) vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt=" $TOKEN_REVIEW_JWT " " $KUBE_HOST " " $KUBE_CA_CERT " enable -path=kvv2 kv-v2
vault secrets enable -path=kv kv
vault policy write dev - << EOF path "kv/*" {
capabilities = ["read"]
}
path "kvv2/*" {
capabilities = ["read"]
}
EOF " static-user" " static-password" " static-user-kvv2" " static-password-kvv2" exit Create the static secret CRDs kubectl apply -f hcp-vault/static-secrets/. Verify the static secrets were created kubectl get secret secretkv -n app -o json | jq -r .data._raw | base64 -D
kubectl get secret secretkvv2 -n app -o json | jq -r .data._raw | base64 -D Change the secrets and verify they are synced vault kv put kv/webapp/config username=" new-static-user" " new-static-password" " new-static-user-kvv2" " new-static-password-kvv2" exit Verify the static secrets were updated (wait 30s) kubectl get secret secretkv -n app -o json | jq -r .data._raw | base64 -D
kubectl get secret secretkvv2 -n app -o json | jq -r .data._raw | base64 -D