Bootstrapping vault-secrets-operator#

Because it is the application that manages all of the other secrets in Phalanx, the secret for vault-secrets-operator itself, containing its Vault credentials, requires special handling. It is normally created as the first step of a Phalanx bootstrap by the installer.

This secret (vault-credentials in the vault-secrets-operator namespace) exists only as a normal Secret resource and is not managed by Argo CD, so it will not appear in the Argo CD dashboard for the vault-secrets-operator application.

AppRole authentication#

When using the newer, recommended secrets management system, vault-secrets-operator’s secret looks like this:

apiVersion: v1
kind: Secret
metadata:
  name: vault-credentials
  namespace: vault-secrets-operator
stringData:
  VAULT_ROLE_ID: <role-id>
  VAULT_SECRET_ID: <secret-id>
type: Opaque

This secret will normally be created by either the installer or by piping phalanx vault create-read-approle --as-secret vault-credentials into kubectl apply. This is the default configuration of vault-secrets-operator.

Token authentication#

Using a regular Vault token is still supported, but requires special per-environment configuration for vault-secrets-operator. Put the following into applications/vault-secrets-operator/values-environment.yaml:

vault-secrets-operator:
  environmentVars:
    - name: "VAULT_TOKEN"
      valueFrom:
        secretKeyRef:
          name: "vault-secrets-operator"
          key: "VAULT_TOKEN"
    - name: "VAULT_TOKEN_LEASE_DURATION"
      value: "31536000"  # One year
  vault:
    authMethod: "token"

In this case, the created secret will look like:

apiVersion: v1
kind: Secret
metadata:
  name: vault-secrets-operator
  namespace: vault-secrets-operator
stringData:
  VAULT_TOKEN: <token>
type: Opaque

This secret will be created by the installer when VAULT_TOKEN is set in the environment instead of VAULT_ROLE_ID and VAULT_SECRET_ID. This Vault token must have read access (and should not have write access) to the Vault path configured in environments/values-environment.yaml for your environment.