New to KubeVault? Please start here.

AWS S3

In S3 storage backend, data will be stored in AWS S3. Vault documentation for S3 storage can be found in here.

apiVersion: kubevault.com/v1alpha1
kind: VaultServer
metadata:
  name: vault-with-s3
  namespace: demo
spec:
  nodes: 1
  version: "0.11.1"
  backend:
    s3:
      bucket: "my-vault-bucket"
      region: "us-west-1"
      credentialSecret: "aws-credential"

spec.backend.s3

To use S3 as backend storage in Vault specify spec.backend.s3 in VaultServer CRD.

spec:
  backend:
    s3:
      bucket: <bucket_name>
      endPoint: <end_point>
      region: <region>
      credentialSecret: <credential_secret_name>
      sessionTokenSecret: <session_secret_name>
      maxParallel: <max_parallel>
      s3ForcePathStyle: <true/false>
      disableSSL: <true/false>

spec.backend.s3 has following fields:

s3.bucket

s3.bucket is a required field that specifies the name of the bucket to use for storage.

spec:
  backend:
    s3:
      bucket: "my-vault-storage"

s3.endPoint

s3.endPoint is an optional field that specifies an alternative, AWS compatible, S3 endpoint.

spec:
  backend:
    s3:
      endPoint: "endpoint.com"

s3.region

s3.region is an optional field that specifies the AWS region. If this field is not specified, then Vault will set value us-east-1.

spec:
  backend:
    s3:
      region: "us-east-1"

s3.credentialSecret

s3.credentialSecret is an optional field that specifies the secret name containing AWS access key and AWS secret key. The secret contains following keys:

  • access_key
  • secret_key

Leaving the access_key and secret_key fields empty will cause Vault to attempt to retrieve credentials from the AWS metadata service.

spec:
  backend:
    s3:
      credentialSecret: "aws-credential"

s3.sessionTokenSecret

s3.sessionTokenSecret is an optional field that specifies the secret name containing AWS session token. The secret contains following key:

  • session_token

    spec:
    backend:
    s3:
      sessionTokenSecret: "aws-session-token"
    

s3.maxParallel

maxParallel is an optional field that specifies the maximum number of parallel operations to take place. This field accepts integer value. If this field is not specified, then Vault will set value 128.

spec:
  backend:
    s3:
      maxParallel: 124

s3.s3ForcePathStyle

s3.s3ForcePathStyle is an optional field that specifies whether to use host bucket style domains with the configured endpoint. This field accepts boolean value. Default value is false.

spec:
  backend:
    s3:
      s3ForcePathStyle: true

s3.disableSSL

s3.disableSSL is an optional field that specifies if SSL should be used for the endpoint connection. This field accepts boolean value. Default value is false.

spec:
  backend:
    s3:
      disableSSL: true