Concepts help you learn about the different parts of KubeVault and the abstractions it uses.
Introduces a way to specify
parameters that are necessary for communicating with an app or service.
Introduces the concept of
VaultServerVersion to specify the docker images of
VaultServer is a
Kubernetes CustomResourceDefinition (CRD) which is used to deploy a
HashiCorp Vault server on Kubernetes clusters in a Kubernetes native way. Introduces the concept of
VaultServer for configuring a HashiCorp Vault server in a Kubernetes native way.
Vault server is started, it starts in a
sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it.
Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault. Initializing & Unsealing Vault servers can be a tedious job.
Introduces to various methods of automatically
Unsealing Vault Servers.
storage backend represents the location for the durable storage of Vault’s information. Each backend has pros, cons, advantages, and trade-offs. For example, some backends support
High Availability - HA while others provide a more robust backup and restoration process. Introduces to various
Storage Backend options supported by
Auth methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user. In all cases, Vault will enforce authentication as part of the request processing. In most cases, Vault will delegate the authentication administration and decision to the relevant configured external auth method (e.g., Amazon Web Services, GitHub, Google Cloud Platform, Kubernetes, Microsoft Azure, Okta, JWT/OIDC).
Having multiple auth methods enables you to use an auth method that makes the most sense for your use case of
Vault and your organization.
Introduces to various
Authentication methods supported by
SecretEngine is a Kubernetes
Custom Resource Definition(CRD). It provides a way to enable and configure a Vault secret engine. Introduces to
SecretEngine CRD, fields, & it’s various use cases.
Secret Engine, a
role describes an identity with a set of
policies you want to attach a user of the Secret Engine. Introduces to various roles supported by
SecretAccessRequest is a
Kubernetes CustomResourceDefinition (CRD) which allows a user to request a Vault server for
credentials in a Kubernetes native way. A
SecretAccessRequest can be created under various roleRef e.g:
MongoDBRole, etc. Introduces to
SecretAccessRequest CRD, fields & it’s various use cases.
SecretRoleBinding is a
Kubernetes CustomResourceDefinition (CRD) which allows a user to bind a set of
roles to a set of
users. Using the
SecretRoleBinding it’s possible to bind various roles e.g:
MongoDBRole, etc. to Kubernetes
Everything in the Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain operations in Vault. Policies are
deny by default, so an empty policy grants no permission in the system.