External Secret Operator Workflow
This diagram explains how Multi Tenant Operator works together with Vault and External Secrets Operator:
Workflow
Step 1
In externalSecret
we define details of secrets available in Vault and secret store that reference Vault connection and authentication details.
Step 2
Secret Store tenant-vault-secret-store
is already created in each namespace by Multi Tenant Operator templates. It refers to service account tenant-vault-access
for authentication. Secret Store also refers to Vault role
created with the same name as namespace name by Multi Tenant Operator.
Step 3
Service account tenant-vault-access
being referred by SecretStore
is already created by Multi Tenant Operator templates. This service account has the stakater.com/vault-access: 'true'
label, which is used to bound it with the Vault role
by Multi Tenant Operator. To learn how Multi Tenant Operator authenticates with Vault, see Vault Multitenancy.
Step 4
Vault verifies if the defined service account has access to role
and role
has an attached policy
that grants access to requested path.
Step 5
After authentication is successful, external secrets get data from the path requested from Vault.
Step 6
Kubernetes secret is created from the values stored in Vault.