New to KubeVault? Please start here.
AWS S3
In S3 storage backend, Vault data will be stored in AWS S3 bucket. Vault documentation for S3 storage can be found in here.
apiVersion: kubevault.com/v1alpha1
kind: VaultServer
metadata:
name: vault-with-s3
namespace: demo
spec:
replicas: 1
version: "1.2.0"
backend:
s3:
bucket: "my-vault-bucket"
region: "us-west-1"
credentialSecret: "aws-credential"
spec.backend.s3
To use S3 as backend storage in Vault specify spec.backend.s3
in VaultServer CRD.
spec:
backend:
s3:
bucket: <bucket_name>
endpoint: <end_point>
region: <region>
credentialSecret: <credential_secret_name>
sessionTokenSecret: <session_secret_name>
maxParallel: <max_parallel>
forcePathStyle: <true/false>
disableSSL: <true/false>
Here, we are going to describe the various attributes of the spec.backend.s3
field.
s3.bucket
s3.bucket
is a required field that specifies the name of the bucket to use for storage.
spec:
backend:
s3:
bucket: "my-vault-storage"
s3.endpoint
s3.endpoint
is an optional field that specifies an alternative, AWS compatible, S3 endpoint.
spec:
backend:
s3:
endpoint: "endpoint.com"
s3.region
s3.region
is an optional field that specifies the AWS region. If this field is not specified, then Vault will set value to us-east-1
.
spec:
backend:
s3:
region: "us-east-1"
s3.credentialSecret
s3.credentialSecret
is an optional field that specifies the secret name containing AWS access key and AWS secret key. The secret contains the following keys:
access_key
secret_key
Leaving the access_key
and secret_key
fields empty will cause Vault to attempt to retrieve credentials from the AWS metadata service.
spec:
backend:
s3:
credentialSecret: "aws-credential"
s3.sessionTokenSecret
s3.sessionTokenSecret
is an optional field that specifies the secret name containing the AWS session token. The secret contains the following key:
session_token
spec:
backend:
s3:
sessionTokenSecret: "aws-session-token"
s3.maxParallel
maxParallel
is an optional field that specifies the maximum number of parallel operations to take place. This field accepts integer value. If this field is not specified, then Vault will set value to 128
.
spec:
backend:
s3:
maxParallel: 124
s3.forcePathStyle
s3.forcePathStyle
is an optional field that specifies whether to use host bucket-style domains with the configured endpoint. This field accepts boolean value. The default value is false
.
spec:
backend:
s3:
forcePathStyle: true
s3.disableSSL
s3.disableSSL
is an optional field that specifies if SSL should be used for the endpoint connection. This field accepts boolean value. The default value is false
.
spec:
backend:
s3:
disableSSL: true