Back to Details

vault-k8s-auth

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Vault Kubernetes Auth

Vault Kubernetes 认证

Services on Kubernetes authenticate to Vault using the Kubernetes auth method via the 
hvac
library. This applies to any Python service the team deploys on the cluster — not just Dagster.
部署在Kubernetes上的服务通过
hvac
库,使用Kubernetes认证方式向Vault进行身份验证。这适用于团队在集群中部署的所有Python服务——不仅仅是Dagster。

Environment variables

环境变量

Never hardcode the Vault role or mount path. Always read them from environment variables:
VariablePurpose
VAULT_ADDR
URL of the Vault server
VAULT_ROLE
Vault role bound to the pod's Kubernetes service account
VAULT_K8S_MOUNT
Vault Kubernetes auth mount path
Example wiring:
python
import os
import hvac

vault_role = os.environ["VAULT_ROLE"]
vault_mount = os.environ["VAULT_K8S_MOUNT"]

client = hvac.Client(url=os.environ["VAULT_ADDR"])
client.auth.kubernetes.login(
    role=vault_role,
    jwt=_read_service_account_token(),
    mount_point=vault_mount,
)
绝不要硬编码Vault角色或挂载路径,务必从环境变量中读取:
变量名用途
VAULT_ADDR
Vault服务器的URL
VAULT_ROLE
与Pod的Kubernetes服务账户绑定的Vault角色
VAULT_K8S_MOUNT
Vault Kubernetes认证挂载路径
示例代码:
python
import os
import hvac

vault_role = os.environ["VAULT_ROLE"]
vault_mount = os.environ["VAULT_K8S_MOUNT"]

client = hvac.Client(url=os.environ["VAULT_ADDR"])
client.auth.kubernetes.login(
    role=vault_role,
    jwt=_read_service_account_token(),
    mount_point=vault_mount,
)

Kubernetes RBAC / auth binding

Kubernetes RBAC / 认证绑定

Use the 
OLEKSAuthBinding
component to bind the pod's Kubernetes service account to the Vault role. This component handles the Vault policy and role configuration.
使用
OLEKSAuthBinding
组件将Pod的Kubernetes服务账户与Vault角色绑定。该组件负责处理Vault策略和角色配置。

Helm / pod spec

Helm / Pod 规格

Inject the variables via Helm values for each service's deployment:
yaml
env:
  - name: VAULT_ROLE
    value: "<service-name>-role"
  - name: VAULT_K8S_MOUNT
    value: "<mount-path>"
  - name: VAULT_ADDR
    valueFrom:
      secretKeyRef:
        name: vault-config
        key: addr
通过Helm值为每个服务的部署注入变量:
yaml
env:
  - name: VAULT_ROLE
    value: "<service-name>-role"
  - name: VAULT_K8S_MOUNT
    value: "<mount-path>"
  - name: VAULT_ADDR
    valueFrom:
      secretKeyRef:
        name: vault-config
        key: addr