Concepts
Concepts help you learn about the different parts of KubeVault and the abstractions it uses.
- What is KubeVault?
- Overview. Provides an introduction to KubeVault operator, including the problems it solves and its use cases.
- Operator architecture. Provides a high-level illustration of the architecture of the KubeVault operator.
AppBinding
Introduces a way to specify connection information
, credential
, and parameters
that are necessary for communicating with an app or service.
Vault Server Version
Introduces the concept of VaultServerVersion
to specify the docker images of HashiCorp Vault
, Unsealer
, and Exporter
.
Vault Server
A VaultServer
is a Kubernetes CustomResourceDefinition (CRD)
which is used to deploy a HashiCorp Vault
server on Kubernetes clusters in a Kubernetes native way. Introduces the concept of VaultServer
for configuring a HashiCorp Vault server in a Kubernetes native way.
Vault Unsealer Options
When a Vault
server is started, it starts in a sealed
state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it.
Unsealing
is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault. Initializing & Unsealing Vault servers can be a tedious job.
Introduces to various methods of automatically Initialization
& Unsealing
Vault Servers.
Vault Server Storage
The storage backend
represents the location for the durable storage of Vault’s information. Each backend has pros, cons, advantages, and trade-offs. For example, some backends support High Availability - HA
while others provide a more robust backup and restoration process. Introduces to various Storage Backend
options supported by KubeVault
.
Authentication Methods for Vault Server
Auth methods
are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user. In all cases, Vault will enforce authentication as part of the request processing. In most cases, Vault will delegate the authentication administration and decision to the relevant configured external auth method (e.g., Amazon Web Services, GitHub, Google Cloud Platform, Kubernetes, Microsoft Azure, Okta, JWT/OIDC).
Having multiple auth methods enables you to use an auth method that makes the most sense for your use case of Vault
and your organization.
Introduces to various Authentication methods
supported by KubeVault
.
Secret Engine
SecretEngine
is a Kubernetes Custom Resource Definition
(CRD). It provides a way to enable and configure a Vault secret engine. Introduces to SecretEngine
CRD, fields, & it’s various use cases.
Secret Engine Roles
In a Secret Engine
, a role
describes an identity with a set of permissions
, groups
, or policies
you want to attach a user of the Secret Engine. Introduces to various roles supported by KubeVault
.
Secret Access Request
A SecretAccessRequest
is a Kubernetes CustomResourceDefinition (CRD)
which allows a user to request a Vault server for credentials
in a Kubernetes native way. A SecretAccessRequest
can be created under various roleRef e.g: AWSRole
, GCPRole
, ElasticsearchRole
, MongoDBRole
, etc. Introduces to SecretAccessRequest
CRD, fields & it’s various use cases.
Secret Role Binding
A SecretRoleBinding
is a Kubernetes CustomResourceDefinition (CRD)
which allows a user to bind a set of roles
to a set of users
. Using the SecretRoleBinding
it’s possible to bind various roles e.g: AWSRole
, GCPRole
, ElasticsearchRole
, MongoDBRole
, etc. to Kubernetes ServiceAccounts
.
Vault Policy
Everything in the Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain operations in Vault. Policies are deny
by default, so an empty policy grants no permission in the system.
- VaultPolicy: is used to create, update or delete Vault policies.
- VaultPolicyBinding: is used to create Vault auth roles associated with an authentication type/entity and a set of Vault policies.