Navigation

Create Secrets in HashiCorp Vault

On this page

After you set your secret storage tool to HashiCorp Vault, you must also create secrets in Vault. This applies when you’re manually migrating your existing Kubernetes secrets or you’re creating secrets for the first time.

For a list of secrets that you must manually migrate to Vault, see the Vault section of Configure Secret Storage.

The following tutorial stores your Programmatic API Key in Vault. You can adapt the commands in this procedure to add other secrets to Vault by changing the base path, the namespace, and the secret name.

To learn more about secret storage tools, see Configure Secret Storage.

Prerequisites

To create credentials for the Kubernetes Operator in Vault, you must:

  1. Have or create an Ops Manager Organization.

  2. Have or generate a Programmatic API Key.

  3. Grant this new Programmatic API Key the Project Owner role.

  4. Add the IP or CIDR block of any hosts that serve the Kubernetes Operator to the API Whitelist.

  5. Set up a Vault instance and enable Vault.

    Note

    Ensure that Vault is not running in dev mode and that your Vault installation follows any applicable configuration recommendations.

Procedure

To create your secret in Vault:

1

Obtain the Ops Manager public and private Keys.

Make sure you have the public and private keys for your desired Ops Manager Programmatic API Key.

2

Create the secret in Vault.

Invoke the following Vault command to create your secret, replacing the variables with the values in the table:

Placeholder Description
{Namespace} Label that identifies the namespace where you deployed Kubernetes Operator.
{SecretName} Human-readable label that identifies the secret you’re creating in Vault.
{PublicKey} The public key for your desired Ops Manager Programmatic API Key.
{PrivateKey} The private key for your desired Ops Manager Programmatic API Key.
vault kv put secret/data/mongodbenterprise/operator/{Namespace}/{SecretName} publicKey={PublicKey} privateKey={PrivateKey}

The path in this command is the default path. You can replace mongodbenterprise/operator with your base path if you customized your Kubernetes Operator configuration.

3

Verify the Vault secret creation was successful.

Invoke the following Vault command to verify your secret, replacing the variables with the values in the following table:

Placeholder Description
{Namespace} Label that identifies the namespace where you deployed Kubernetes Operator.
{SecretName} Human-readable label that identifies the secret you’re creating in Vault.
vault kv get secret/data/mongodbenterprise/operator/{Namespace}/{SecretName}

This command returns a secret description in the shell:

====== Metadata ======
Key              Value
---              -----
created_time     2021-12-15T17:20:22.985303Z
deletion_time    n/a
destroyed        false
version          1

======= Data =======
Key          Value
---          -----
publicKey    {PublicKey}
privateKey   {PrivateKey}