Vault Provider

The Vault provider allows Traefik Enterprise to use TLS certificates stored in Vault using the KV secret engine version 2.

All certificates must be stored base64-encoded in the data map under the cert and key keys, respectively.

curl -X POST \
    -H "Content-Type: application/json" \
    -H "X-Vault-Token: <Vault token>" \
    -d '{"data": {"cert": "<base64-encoded certificate>", "key": "<base64-encoded key>"}}' \
    http://127.0.0.1:8200/v1/secret/data/example.org
vault kv put secret/example.org cert="$(cat cert.pem | base64 -w0)" key="$(cat key.pem | base64 -w0)"

Path Requirement

The Vault TLS provider requires all secrets to be at the root of the KV secret engine.

Dedicated KV Secret Engine

It is recommended to use a dedicated KV secret engine in Vault to store TLS certificates.

Provider Configuration

The Vault provider is enabled and configured in the static configuration:

providers:
  plugin:
    vault:
      url: "http://127.0.0.1:8200"
      token: "s.CUDDqqjiIFXF60KVSeJOxeb5"
      enginePath: "secret"
      syncInterval: "5s"
      rescanInterval: "60s"
[providers.plugin.vault]
  url = "http://127.0.0.1:8200"
  token = "s.CUDDqqjiIFXF60KVSeJOxeb5"
  enginePath = "secret"
  syncInterval = "5s"
  rescanInterval = "60s"

url

Required, Default=""

Defines the URL of the Vault server, including the scheme and port.

providers:
  plugin:
    vault:
      url: "http://127.0.0.1:8200"
[providers.plugin.vault]
  url = "http://127.0.0.1:8200"

token

Required, Default=""

Defines the token to authenticate with Vault.

Supported Authentication Mechanisms

The Vault provider currently supports token authentication only.

providers:
  plugin:
    vault:
      token: "s.CUDDqqjiIFXF60KVSeJOxeb5"
[providers.plugin.vault]
  token = "s.CUDDqqjiIFXF60KVSeJOxeb5"

enginePath

Optional, Default="secret"

Defines the path under which the KV secret engine is enabled.

providers:
  plugin:
    vault:
      enginePath: "secret"
[providers.plugin.vault]
  enginePath = "secret"
providers:
  plugin:
    vault:
      enginePath: "secret"

syncInterval

Optional, Default="5s"

Defines the interval at which the Vault provider looks for new or deleted TLS certificates.

providers:
  plugin:
    vault:
      syncInterval: "5s"
[providers.plugin.vault]
  syncInterval = "5s"

rescanInterval

Optional, Default="60s"

Defines the interval at which the Vault provider performs a full rescan of all TLS certificates to check for updates.

Rescanning with Many Certificates

This operation performs at least one request per certificate stored in Vault. If there are many certificates, this interval may need to be increased to reduce load on Vault.

providers:
  plugin:
    vault:
      rescanInterval: "60s"
[providers.plugin.vault]
  rescanInterval = "60s"