How do I inject Vault secrets into staging/production/preview environments?

Staging/Production

By default, enabling Vault via jx boot 's jx-requirements.yml will only activate it in your pipeline and preview environments, not in staging and production. To also activate it in those environments, simply add a jx-requirements.yml file to the root of their repo, with at least the following content:

secretStorage: vault

Note that the file must be named with .yml , not .yaml , or else the requirements loader cannot load the proper file.

Then, assuming you have a secret in Vault with path secret/path/to/mysecret containing key password , you can inject it into service myapp (for instance, as a PASSWORD environment variable) by adding the following to your staging repo’s /env/values.yaml :

myapp:
  env:
    PASSWORD: vault:path/to/mysecret:password

Notice the prefixing with vault: URL scheme and also that we omit first path component ( secret/ ), as it gets added automatically. Finally, the key name is separated from path by a colon ( : ).

If your secret is not environment-specific, you can also inject it directly into your app’s /charts/myapp/values.yaml :

env:
  PASSWORD: vault:path/to/mysecret:password

However, note that this value would be overriden at the environment level if the same key is also present there.

Preview

Vault does not need to be explicitly enabled for preview environment. To inject same secret as above into your preview, simply add the following to your app’s /charts/preview/values.yaml :

preview:
  env:
    PASSWORD: vault:path/to/mysecret:password

see How do I inject a Vault secret via a Kubernetes Secret?