External Secret Operator Workflow

This diagram explains how Multi Tenant Operator works together with Vault and External Secrets Operator:

Workflow

Step 1

In externalSecret we define details of secrets available in Vault and secret store that reference Vault connection and authentication details.

Step 2

Secret Store tenant-vault-secret-store is already created in each namespace by Multi Tenant Operator templates. It refers to service account tenant-vault-access for authentication. Secret Store also refers to Vault role created with the same name as namespace name by Multi Tenant Operator.

Step 3

Service account tenant-vault-access being referred by SecretStore is already created by Multi Tenant Operator templates. This service account has the stakater.com/vault-access: 'true' label, which is used to bound it with the Vault role by Multi Tenant Operator. To learn how Multi Tenant Operator authenticates with Vault, see Vault Multitenancy.

Step 4

Vault verifies if the defined service account has access to role and role has an attached policy that grants access to requested path.

Step 5

After authentication is successful, external secrets get data from the path requested from Vault.

Step 6

Kubernetes secret is created from the values stored in Vault.