External Secrets from Hashicorp Vault | HiveMQ Platform Operator (new)
This article explains how to fetch secrets from an external Hashicorp Vault and put them into Kubernetes secrets required for the HiveMQ Platform, such as license, keystore, and truststore.
Instructions
First, ensure you have the VAULT_ADDR and VAULT_TOKEN from the external vault at hand.
Next, put your secrets in the vault. In this article, we store files in the vault encoded with base64.
Install External Secrets Kubernetes Operator
Add the repo to the Helm:
helm repo add external-secrets https://charts.external-secrets.io
Install
external-secrets/external-secrets
in the same namespace as HiveMQ Platform.helm install external-secrets external-secrets/external-secrets --namespace hivemq
Create the secret required for the external-secrets to access the external vault. The secret should contain the VAULT_TOKEN. In our article, the token is
root
kubectl create secret generic secret-token-for-vault --from-literal token=root --namespace hivemq
OR
kubectl apply -f 1-secret-token-for-vault.yaml --namespace hivemq
apiVersion: v1 kind: Secret metadata: name: secret-token-for-vault data: token: cm9vdA== # "root"
Create the Secret Store required for the external-secrets to access the external vault. The definition should contain the vault URL and reference to the secret with the token, and also the path (path in the kv-2 engine in the external vault from which the token is allowed to read)
apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: secretstore-vault spec: provider: vault: server: "http://[ VAULT_ADDR ]:8200" path: "hivemq-mqtt/obc-poc" version: "v2" auth: # points to a secret that contains a vault token # https://www.vaultproject.io/docs/auth/token tokenSecretRef: name: "secret-token-for-vault" key: "token"