# Bookstore — Part 11 ch.05 "Secrets at scale": the Vault-side configuration # (KV v2 policy + Kubernetes auth role) that lets External Secrets Operator # read the Bookstore DB credentials FROM Vault using a bookstore # ServiceAccount's projected token. # # !!! THIS IS NOT A KUBERNETES OBJECT — applied with the `vault` CLI !!! # Vault policies and auth roles are configured via the Vault API/CLI, NOT # `kubectl apply`. This file is shown as the EXACT `vault` commands it # encodes, the same honesty pattern as the guide's apiserver-level files # (examples/bookstore/cluster/encryption-config.yaml / audit-policy.yaml — a # concrete file, run the documented non-kubectl way). It is wrapped in a # deliberately-never-applied ConfigMap ONLY so the repo's whole-dir YAML # dry-run sweep stays green; the object below must NOT be applied. # # DEV-MODE HONESTY: the chapter runs Vault in DEV mode on kind (in-memory, # auto-unsealed, root token = "root"). That is NOT production Vault (no HA, no # real seal/unseal, no audit device, data lost on pod restart). It faithfully # demonstrates the k8s auth method + ESO sync + dynamic secrets; production # Vault is HA + auto-unseal via cloud KMS + audit-logged (production notes). # Only the Vault DEPLOYMENT TOPOLOGY is the local substitute — the ESO/Vault # mechanics are real and unfaked. # # ── 1. KV v2 policy: read-only on EXACTLY the Bookstore secret path ───────── # Save as bookstore-ro.hcl, then: vault policy write bookstore-ro bookstore-ro.hcl # # # bookstore-ro.hcl (LEAST PRIVILEGE — read one path, nothing else) # path "secret/data/bookstore/db" { # capabilities = ["read"] # } # # dynamic DB creds (chapter step 5) — generate a short-lived role's creds, # # NOT static reads: # path "database/creds/bookstore-app" { # capabilities = ["read"] # } # # ── 2. Kubernetes auth: bind a dedicated SA to that policy ────────────────── # vault auth enable kubernetes # vault write auth/kubernetes/config \ # kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" # vault write auth/kubernetes/role/bookstore-eso \ # bound_service_account_names="bookstore-eso" \ # bound_service_account_namespaces="bookstore" \ # policies="bookstore-ro" \ # ttl="15m" # SHORT auth-token TTL — the login token is short-lived # # ── 3. Seed the static demo secret (the value that REPLACES 16-) ──────────── # vault kv put secret/bookstore/db \ # POSTGRES_USER=bookstore \ # POSTGRES_PASSWORD=devpassword \ # POSTGRES_DB=bookstore # # ↑ DEMO-ONLY value, identical to the throwaway in the canonical # # raw-manifests/16-db-credentials.yaml. The POINT of this chapter: in # # production this value lives ONLY in Vault (rotated, audited, never in # # Git). 16- stays the documented local-lab exception, UNTOUCHED. apiVersion: v1 kind: ConfigMap metadata: name: bookstore-vault-setup-NOT-APPLIED namespace: bookstore labels: app.kubernetes.io/part-of: bookstore annotations: note: >- DOC CARRIER ONLY — deliberately NOT part of any apply flow. The real artifacts are the `vault` CLI commands in the header (Vault policy + k8s auth role + KV seed), run against the dev-mode Vault in the chapter Hands-on. Wrapped in a never-applied ConfigMap so the file is YAML-valid for the dry-run sweep without implying it is a resource to create. data: README: "See the header — Vault policy/role/seed are `vault` CLI, not kubectl."