HashiCorp Vault

Detailed information on the HashiCorp Vault secret store component

Create the Vault component

To setup HashiCorp Vault secret store create a component of type secretstores.hashicorp.vault. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: vault
  5. namespace: default
  6. spec:
  7. type: secretstores.hashicorp.vault
  8. version: v1
  9. metadata:
  10. - name: vaultAddr
  11. value: [vault_address] # Optional. Default: "https://127.0.0.1:8200"
  12. - name: caCert # Optional. This or caPath or caPem
  13. value: "[ca_cert]"
  14. - name: caPath # Optional. This or CaCert or caPem
  15. value: "[path_to_ca_cert_file]"
  16. - name: caPem # Optional. This or CaCert or CaPath
  17. value : "[encoded_ca_cert_pem]"
  18. - name: skipVerify # Optional. Default: false
  19. value : "[skip_tls_verification]"
  20. - name: tlsServerName # Optional.
  21. value : "[tls_config_server_name]"
  22. - name: vaultTokenMountPath # Required if vaultToken not provided. Path to token file.
  23. value : "[path_to_file_containing_token]"
  24. - name: vaultToken # Required if vaultTokenMountPath not provided. Token value.
  25. value : "[path_to_file_containing_token]"
  26. - name: vaultKVPrefix # Optional. Default: "dapr"
  27. value : "[vault_prefix]"
  28. - name: vaultKVUsePrefix # Optional. default: "true"
  29. value: "[true/false]"

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.

Spec metadata fields

FieldRequiredDetailsExample
vaultAddrNThe address of the Vault server. Defaults to https://127.0.0.1:8200https://127.0.0.1:8200
caCertNCertificate Authority use only one of the options. The encoded cacerts to use“cacerts”
caPathNCertificate Authority use only one of the options. The path to a CA cert file“path/to/cacert/file”
caPemNCertificate Authority use only one of the options. The encoded cacert pem to use“encodedpem”
skipVerifyNSkip TLS verification. Defaults to “false”“true”, “false”
tlsServerNameNTLS config server name“tls-server”
vaultTokenMountPathYPath to file containing token“path/to/file”
vaultTokenYToken for authentication within Vault.“tokenValue”
vaultKVPrefixNThe prefix in vault. Defaults to “dapr”“dapr”, “myprefix”
vaultKVUsePrefixNIf false, vaultKVPrefix is forced to be empty. If the value is not given or set to true, vaultKVPrefix is used when accessing the vault. Setting it to false is needed to be able to use the BulkGetSecret method of the store.“true”, “false”

Setup Hashicorp Vault instance

Setup Hashicorp Vault using the Vault documentation: https://www.vaultproject.io/docs/install/index.html.

For Kubernetes, you can use the Helm Chart: https://github.com/hashicorp/vault-helm.

Last modified February 18, 2022: Update setup-jetstream.md (#2200) (428d8c2)