Skip to content

Instantly share code, notes, and snippets.

@rezamt

rezamt/01-Vault-crossplane.yaml

Created October 6, 2025 02:14
Show Gist options
  • Save rezamt/bf9d42cdb621c32ca064990d41baa7ae to your computer and use it in GitHub Desktop.
Save rezamt/bf9d42cdb621c32ca064990d41baa7ae to your computer and use it in GitHub Desktop.
Download ZIP
Vault Crossplane Provider Configuration
Raw
01-vault-crossplane-setup.sh
``` bash
echo "Setting up crossplane-ssystem"
kubectl config set-context --current --namespace=crossplane-system
kubectl ns
echo "Registering HCL Upbound Vault Provider"
kubectl apply -f vault-provider.yaml
echo "Sleeping for 10 secs"
sleep 10
echo "Registering HCL Upbound Vault Provider Config"
kubectl apply -f vault-provider-secret.yaml
kubectl apply -f vault-provider-config.yaml
```
Raw
01-Vault-crossplane.yaml
# Attention: Vault version > 2 requires corssplane v2
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: upbound-provider-vault
namespace: crossplane-system
spec:
package: xpkg.upbound.io/upbound/provider-vault:v2
---
apiVersion: vault.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: vault-provider-config
namespace: crossplane-system
spec:
address: "https://vault-1234567890.australia-southeast1.run.app"
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: vault-provider-secret
key: token
---
apiVersion: v1
kind: Secret
metadata:
name: vault-provider-secret
namespace: crossplane-system
type: Opaque
stringData:
token: |
{"token":"hvs.yix5VJ4a0kUC5xDmbSYiRfK8"} # This is a root token
---
Raw
02-vault-azure-hellworld-backend-role-setup.sh
``` bash
echo "Setting up crossplane-ssystem"
kubectl config set-context --current --namespace=crossplane-system
kubectl ns
echo "Registering Hashicorp Azure Secret Engine - Helloworld Secret Backend Role"
kubectl apply -f 02-vault-azure-hellworld-backend-role.yaml
```
Raw
02-vault-azure-hellworld-backend-role.yaml
# SecretBackendRole for Azure Secrets Engine
# Creates a role in the Vault Azure Secrets Engine for the Techbot application
# Reference: https://marketplace.upbound.io/providers/upbound/provider-vault/v2.2.1/resources/azure.vault.upbound.io/SecretBackendRole/v1alpha1
#
apiVersion: azure.vault.upbound.io/v1alpha1
kind: SecretBackendRole
metadata:
name: vault-azure-hellworld-backend-role
namespace: crossplane-system
spec:
forProvider:
# Path where the Azure Secrets Engine is enabled (see vault-crossplane.yaml - )
backend: azure
# Name of the role within the Azure Secrets Engine
role: techbot
# Azure Application (App Registration) Object ID for Techbot
applicationObjectId: "121234567812-ef05-4031-b85d-123456789"
# Optional: set TTLs for generated credentials
ttl: 1h
maxTtl: 24h
providerConfigRef:
name: vault-provider-config
Raw
README.md

The following configuration show how to setup Vault Crossplane Provider in K8s Cluster.

The Upbound Vault Provider version: v2.2.1

From Version v2.2.2 the crossplane v2 is required.

  • Crossplane (2.0+)
  • Upbound Crossplane (UXP) (2.0+)
Raw
controller-schedule.MD
Raw
Vault Provider Configuration Switches.md

Provider Configuration Switches

Configuration Parameters

Parameter Short Default Unit/Type Environment Variable Deprecated Description
debug d false boolean - No Run with debug logging
sync s 1h duration (hours) - No Controller manager sync period
poll - 10m duration (minutes) - No Poll interval for drift checking
poll-state-metric - 5s duration (seconds) - No State metric recording interval
leader-election l false boolean LEADER_ELECTION No Use leader election for controller manager
max-reconcile-rate - 10 rate (per second) - No Global maximum rate for drift checking
webhook-port - 9443 port number WEBHOOK_PORT No Port the webhook listens on
metrics-bind-address - :8080 address METRICS_BIND_ADDRESS No Address for metrics server
changelogs-socket-path - /var/run/changelogs/changelogs.sock file path CHANGELOGS_SOCKET_PATH No Path for changelogs socket
enable-management-policies - true boolean ENABLE_MANAGEMENT_POLICIES No Enable Management Policies support
enable-changelogs - false boolean ENABLE_CHANGE_LOGS No Enable change logs during reconciliation
certs-dir - /tls/server directory path CERTS_DIR No Directory containing server key and certificate
namespace - upbound-system string POD_NAMESPACE Yes Namespace for default secret store config
enable-external-secret-stores - false boolean ENABLE_EXTERNAL_SECRET_STORES Yes Enable ExternalSecretStores support
ess-tls-cert-dir - - directory path ESS_TLS_CERTS_DIR Yes Path of ESS TLS certificates

Duration Format Examples

Duration parameters accept formats such as:

  • 300ms - milliseconds
  • 1.5h - hours
  • 2h45m - hours and minutes
  • 10m - minutes
  • 5s - seconds

Notes

  • Deprecated parameters are hidden and will be removed in a future release
  • Deprecated parameters relate to the ESS (External Secret Stores) support removal
  • Rate limits are measured in operations per second
  • Internal timeouts (not configurable via CLI):
    • Lease Duration: 60s
    • Renew Deadline: 50s
    • Poll Jitter: 5% of poll interval
Raw
vault-controllerconfig.yaml
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: vault-dev-config
annotations:
description: "Basic development configuration for provider-vault"
spec:
deploymentTemplate:
spec:
replicas: 1
selector:
matchLabels:
app: provider-vault
template:
spec:
containers:
- name: package-runtime
args:
- --debug
- --sync=5m
- --poll=2m
- --max-reconcile-rate=20
- --enable-management-policies=true
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "250m"
memory: "256Mi"
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: vault-production-config
annotations:
description: "Production configuration with leader election and standard intervals"
spec:
deploymentTemplate:
spec:
replicas: 2
selector:
matchLabels:
app: provider-vault
template:
spec:
containers:
- name: package-runtime
args:
- --sync=1h
- --poll=10m
- --poll-state-metric=10s
- --max-reconcile-rate=50
- --leader-election=true
- --metrics-bind-address=:8080
- --webhook-port=9443
- --enable-management-policies=true
resources:
limits:
cpu: "1"
memory: "1Gi"
requests:
cpu: "500m"
memory: "512Mi"
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: vault-high-performance
annotations:
description: "High-performance configuration for large-scale deployments"
spec:
deploymentTemplate:
spec:
replicas: 3
selector:
matchLabels:
app: provider-vault
template:
spec:
containers:
- name: package-runtime
args:
- --sync=2h
- --poll=15m
- --poll-state-metric=30s
- --max-reconcile-rate=200
- --leader-election=true
- --metrics-bind-address=:8080
- --enable-management-policies=true
resources:
limits:
cpu: "4"
memory: "4Gi"
requests:
cpu: "2"
memory: "2Gi"
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: vault-env-config
annotations:
description: "Configuration using environment variables"
spec:
deploymentTemplate:
spec:
replicas: 2
selector:
matchLabels:
app: provider-vault
template:
spec:
containers:
- name: package-runtime
env:
- name: LEADER_ELECTION
value: "true"
- name: WEBHOOK_PORT
value: "9443"
- name: METRICS_BIND_ADDRESS
value: ":8080"
- name: ENABLE_MANAGEMENT_POLICIES
value: "true"
- name: ENABLE_CHANGE_LOGS
value: "false"
args:
- --sync=1h
- --poll=10m
- --max-reconcile-rate=50
resources:
limits:
cpu: "1"
memory: "1Gi"
requests:
cpu: "500m"
memory: "512Mi"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment