Vault Config Operator

Vault Config Operator 0.8.24 provided by Red Hat Community of Practice

This operator helps set up Vault Configurations. The main intent is to do so much that subsequently, pods can consume the secrets made available. There are two main principles through all of the capabilities of this operator:

1. High-fidelity API. The CRD exposed by this operator reflects field by field the Vault APIs. This is because we don't want to make any assumptions about the kinds of configuration workflow that the user will set up. That being said the Vault API is very extensive and we are starting with enough API coverage to support, we think, some simple and very common configuration workflows.
2. Attention to security. After all we are integrating with a security tool. To prevent credential leaks we give no permissions to the operator itself against Vault. All APIs exposed by this operator contain enough information to authenticate to Vault using a local service account (local to the namespace where the API exists). In other words, for a namespace user to be able to successfully configure Vault, a service account in that namespace must have been previously given the needed Vault permissions.

Currently, this operator supports the following CRDs:

1. Policy Configures Vault Policies
2. KubernetesAuthEngineRole Configures a Vault Kubernetes Authentication Role
3. SecretEngineMount Configures a Mount point for a SecretEngine
4. DatabaseSecretEngineConfig Configures a Database Secret Engine Connection
5. DatabaseSecretEngineRole Configures a Database Secret Engine Role
6. RandomSecret Creates a random secret in a vault kv Secret Engine with one password field generated using a PasswordPolicyvault-config-operator

Latest version

0.8.24

Capability level

• Basic Install
• Seamless Upgrades
• Full Lifecycle
• Deep Insights
• Auto-Pilot

Source

Community

Provider

Red Hat Community of Practice

Infrastructure features

Disconnected

Repository

https://github.com/redhat-cop/vault-config-operator

Container image

quay.io/redhat-cop/vault-config-operator@sha256:7ee740bdf3e692451d62b01669acd860b85139e52867ce4ef0593d1f5c578228

Support

Best Effort

Provided APIs for Vault Config Operator are:

1. Auth Engine Mount - AuthEngineMount is the Schema for the authenginemounts API
2. Database Secret Engine Config - DatabaseSecretEngineConfig is the Schema for the databasesecretengineconfigs API
3. Database Secret Engine Role - DatabaseSecretEngineRole is the Schema for the databasesecretengineroles API
4. Database Secret Engine Static Role - DatabaseSecretEngineStaticRole is the Schema for the databasesecretenginestaticroles API
5. Git Hub Secret Engine Config - GitHubSecretEngineConfig is the Schema for the githubsecretengineconfigs API
6. Git Hub Secret Engine Role - GitHubSecretEngineRole is the Schema for the githubsecretengineroles API
7. Group Alias - GroupAlias is the Schema for the groupalias API
8. Group - Group is the Schema for the groups API
9. JWTOIDCAuth Engine Config - JWTOIDCAuthEngineConfig is the Schema for the jwtoidcauthengineconfigs API
10. JWTOIDCAuth Engine Role - JWTOIDCAuthEngineRole is the Schema for the jwtoidcauthengineroles API
11. Kubernetes Auth Engine Config - KubernetesAuthEngineConfig is the Schema for the kubernetesauthengineconfigs API
12. Kubernetes Auth Engine Role - KubernetesAuthEngineRole can be used to define a KubernetesAuthEngineRole for the kube-auth authentication method
13. Kubernetes Secret Engine Config - KubernetesSecretEngineConfig is the Schema for the kubernetessecretengineconfigs API
14. Kubernetes Secret Engine Role - KubernetesSecretEngineRole is the Schema for the kubernetessecretengineroles API
15. LDAPAuth Engine Config - LDAPAuthEngineConfig is the Schema for the ldapauthengineconfigs API
16. LDAPAuth Engine Group - LDAPAuthEngineGroup is the Schema for the ldapauthenginegroups API
17. Password Policy - PasswordPolicy is the Schema for the passowordpolicies API
18. PKISecret Engine Config - PKISecretEngineConfig is the Schema for the pkisecretengineconfigs API
19. PKISecret Engine Role - PKISecretEngineRole is the Schema for the pkisecretengineroles API
20. Policy - Policy is the Schema for the policies API
21. Quay Secret Engine Config - QuaySecretEngineConfig is the Schema for the quaysecretengineconfigs API
22. Quay Secret Engine Role - QuaySecretEngineRole is the Schema for the quaysecretengineroles API
23. Quay Secret Engine Static Role - QuaySecretEngineStaticRole is the Schema for the quaysecretenginestaticroles API
24. Rabbit MQSecret Engine Config - RabbitMQSecretEngineConfig is the Schema for the rabbitmqsecretengineconfigs API
25. Rabbit MQSecret Engine Role - RabbitMQSecretEngineRole is the Schema for the rabbitmqsecretengineroles API
26. Random Secret - RandomSecret is the Schema for the randomsecrets API
27. Secret Engine Mount - SecretEngineMount is the Schema for the secretenginemounts API
28. Vault Secret - VaultSecret is the Schema for the vaultsecrets API

Ref: https://developer.hashicorp.com/vault/docs/platform/k8s/vso