helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault --set "server.enabled=false" --set "injector.enabled=false" --set "csi.enabled=true"
vault auth enable kubernetes
vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault enable secret
vault kv put secret/<path> <secret name>=<secret value>
Certificate should be in below format before uploading cert to HashiCorp Vault i.e it should be one .pem file (key, crt and CA in one file)
(Refer "mycert.pem" for sample certificate format)
Vault kv put secret/<path> <secret name>=@<path to cert.pem>
Policy:
vault policy write <policy name> - <<EOF
path "secret/database/credentials" {
capabilities = ["read", "write", "update","delete"]
}
EOFRole:
vault write auth/kubernetes/role/<role name> \ bound_service_account_names=* \ bound_service_account_namespaces=*\ policies=<policy name> \ ttl=24h
Note: access can be restricted by assigning <fep-cluster>-sa service account to bound_service_account_names and also can be namespace restircted by assigning value to bound_service_account_namespaces
Note
Only single key value for secret to be stored in HashiCorp vault.