Access Vault UI

Vault UI is accessible via https://vault.apps.$BASE_DOMAIN.

In this stack, Vault is deploy in dev mode, which means that the root token is root.

Create a secret in Vault and allow access to a ServiceAccount using Terraform

Inject a secret from Vault using agent injector

This stack installs Vault injector that allows secrets injection to a pod.

$ kubectl -n demo-app exec -ti $(kubectl -n demo-app get pods --selector 'app.kubernetes.io/name=demo-app' --output=name|head -n1) -- cat /vault/secrets/demo-app
Defaulting container name to demo-app.
Use 'kubectl describe pod/demo-app-6f7cf8ddbf-vq7vg -n demo-app' to see all of the containers in this pod.
data: map[foo:bar pizza:cheese]
metadata: map[created_time:2020-10-05T15:04:47.061885873Z deletion_time: destroyed:false version:1]

Inject a secret from Vault using secrets store CSI driver

$ kubectl -n demo-app exec -ti $(kubectl -n demo-app get pods --selector 'app.kubernetes.io/name=demo-app' --output=name|head -n1) -- cat /mnt/secrets-store/demo-app