Docs Menu

Docs HomeMongoDB Enterprise Kubernetes Operator

Create Secrets in HashiCorp Vault

On this page

  • Prerequisites
  • Procedure

After you set your secret storage tool to HashiCorp Vault, you must also create secrets in Vault. This applies when you're manually migrating your existing Kubernetes secrets or you're creating secrets for the first time.

For a list of secrets that you must manually migrate to Vault, see the Vault section of Configure Secret Storage.

The following tutorial stores your Programmatic API Key in Vault. You can adapt the commands in this procedure to add other secrets to Vault by changing the base path, the namespace, and the secret name.

To learn more about secret storage tools, see Configure Secret Storage.

To create credentials for the Kubernetes Operator in Vault, you must:

  1. Have or create an Ops Manager Organization.

  2. Have or generate a Programmatic API Key.

  3. Grant this new Programmatic API Key the Project Owner role.

  4. Add the IP or CIDR block of any hosts that serve the Kubernetes Operator to the API Access List.

  5. Set up a Vault instance and enable Vault.

    Note

    Ensure that Vault is not running in dev mode and that your Vault installation follows any applicable configuration recommendations.

To create your secret in Vault:

1

Make sure you have the public and private keys for your desired Ops Manager Programmatic API Key.

2

Invoke the following Vault command to create your secret, replacing the variables with the values in the table:

Placeholder
Description
{Namespace}
Label that identifies the namespace where you deployed Kubernetes Operator.
{SecretName}
Human-readable label that identifies the secret you're creating in Vault.
{PublicKey}
The public key for your desired Ops Manager Programmatic API Key.
{PrivateKey}
The private key for your desired Ops Manager Programmatic API Key.
vault kv put secret/data/mongodbenterprise/operator/{Namespace}/{SecretName} publicKey={PublicKey} privateKey={PrivateKey}
The path in this command is the default path. You can replace ``mongodbenterprise/operator`` with
your base path if you customized your |k8s-op-short| configuration.
3

Invoke the following Vault command to verify your secret, replacing the variables with the values in the following table:

Placeholder
Description
{Namespace}
Label that identifies the namespace where you deployed Kubernetes Operator.
{SecretName}
Human-readable label that identifies the secret you're creating in Vault.
vault kv get secret/data/mongodbenterprise/operator/{Namespace}/{SecretName}

This command returns a secret description in the shell:

====== Metadata ======
Key Value
--- -----
created_time 2021-12-15T17:20:22.985303Z
deletion_time n/a
destroyed false
version 1
======= Data =======
Key Value
--- -----
publicKey {PublicKey}
privateKey {PrivateKey}
←  Configure Secret StorageInstall and Configure the Kubernetes Operator →