diff --git a/docs/userguide/openbao.md b/docs/userguide/openbao.md index 8b1dc59..fb0992f 100644 --- a/docs/userguide/openbao.md +++ b/docs/userguide/openbao.md @@ -28,8 +28,36 @@ And to add your first secret just run: `kubectl exec -ti openbao-0 -n openbao -- vault kv put data/postgres POSTGRES_USER=admin POSTGRES_PASSWORD=123456` +To fetch it as a kubernetes secret you'll need to create an **external-secrets.yaml** file and apply it to the cluster with `kubectl apply -f external-secrets.yaml` +``` +# external-secret.yaml +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-secret + namespace: openbao +spec: + refreshInterval: "15s" #This specifies the time interval at which the ExternalSecret controller will refresh the secrets. + secretStoreRef: # This references the first file. + name: bao-backend + kind: SecretStore + target: #This specifies the target Kubernetes secret that the ExternalSecret will create. + name: postgres-secret + creationPolicy: Owner + data: # This is an array of secret key-value pairs that the ExternalSecret will retrieve from the Vault secret store and store in the Kubernetes secret. + - secretKey: POSTGRES_USER #Name of the k8 secret that is being created + remoteRef: #This is an object that contains the reference to the secret in the Vault secret store. + key: data/postgres # This specifies the path to the secret in the Vault secret store + property: POSTGRES_USER #This specifies the name of the secret property to retrieve from the Vault secret. + - secretKey: POSTGRES_PASSWORD + remoteRef: + key: data/postgres + property: POSTGRES_PASSWORD +``` + +After that just run `kubectl get externalsecrets -A` to check that there are no problems with synchronization. And to access the secret on your cluster run: `kubectl get secrets -n openbao` + ## 🔗 References * https://openbao.org/docs/platform/k8s/helm/run/#initialize-and-unseal-openbao -* https://developer.hashicorp.com/vault - +* https://developer.hashicorp.com/vault \ No newline at end of file