Secret
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
defaultLeaseTtlSeconds: 43200,
maxLeaseTtlSeconds: 86400,
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
default_lease_ttl_seconds=43200,
max_lease_ttl_seconds=86400,
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
DefaultLeaseTtlSeconds = 43200,
MaxLeaseTtlSeconds = 86400,
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
});package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
DefaultLeaseTtlSeconds: pulumi.Int(43200),
MaxLeaseTtlSeconds: pulumi.Int(86400),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.defaultLeaseTtlSeconds(43200)
.maxLeaseTtlSeconds(86400)
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
}
}resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
defaultLeaseTtlSeconds: 43200
maxLeaseTtlSeconds: 86400
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
function: std:file
arguments:
input: /path/to/cert
return: result
serviceAccountJwt:
fn::invoke:
function: std:file
arguments:
input: /path/to/token
return: result
disableLocalCaJwt: falseImport
The Kubernetes secret backend can be imported using its path e.g.
$ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetesProperties
List of managed key registry entry names that the mount in question is allowed to access
List of headers to allow and pass from the request to the plugin
Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
Default lease duration for tokens and secrets in seconds
List of headers to allow and pass from the request to the plugin
Human-friendly description of the mount
Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
Enable the secrets engine to access Vault's external entropy source
The key to use for signing plugin workload identity tokens
A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
Specifies whether to show this mount in the UI-specific listing endpoint
Maximum possible lease duration for tokens and secrets in seconds
List of headers to allow and pass from the request to the plugin
Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.