Skip to content

External Secret Operator Workflow#

This diagram explains how Multi Tenant Operator works together with Vault and External Secrets Operator:

External-Secrets-workflow

Workflow#

Step 1#

In externalSecret we define details of secrets available in Vault and secret store that reference Vault connection and authentication details.

Step 2#

Secret Store tenant-vault-secret-store is already created in each namespace by Multi Tenant Operator templates. It refers to service account tenant-vault-access for authentication. Secret Store also refers to Vault role created with the same name as namespace name by Multi Tenant Operator.

Step 3#

Service account tenant-vault-access being referred by SecretStore is already created by Multi Tenant Operator templates. This service account has the stakater.com/vault-access: 'true' label, which is used to bound it with the Vault role by Multi Tenant Operator. To learn how Multi Tenant Operator authenticates with Vault, see Vault Multitenancy.

Step 4#

Vault verifies if the defined service account has access to role and role has an attached policy that grants access to requested path.

Step 5#

After authentication is successful, external secrets get data from the path requested from Vault.

Step 6#

Kubernetes secret is created from the values stored in Vault.