Vault Provider¶
The Vault provider allows Traefik Enterprise to use TLS certificates stored in Vault using the KV secret engine version 2.
All certificates must be stored base64-encoded in the data map under the cert
and key
keys, respectively.
curl -X POST \
-H "Content-Type: application/json" \
-H "X-Vault-Token: <Vault token>" \
-d '{"data": {"cert": "<base64-encoded certificate>", "key": "<base64-encoded key>"}}' \
http://127.0.0.1:8200/v1/secret/data/example.org
vault kv put secret/example.org cert="$(cat cert.pem | base64 -w0)" key="$(cat key.pem | base64 -w0)"
Path Requirement
The Vault TLS provider requires all secrets to be at the root of the KV secret engine.
Dedicated KV Secret Engine
It is recommended to use a dedicated KV secret engine in Vault to store TLS certificates.
Provider Configuration¶
The Vault provider is enabled and configured in the static configuration:
providers:
plugin:
vault:
url: "http://127.0.0.1:8200"
token: "s.CUDDqqjiIFXF60KVSeJOxeb5"
enginePath: "secret"
syncInterval: "5s"
rescanInterval: "60s"
[providers.plugin.vault]
url = "http://127.0.0.1:8200"
token = "s.CUDDqqjiIFXF60KVSeJOxeb5"
enginePath = "secret"
syncInterval = "5s"
rescanInterval = "60s"
url
¶
Required, Default=""
Defines the URL of the Vault server, including the scheme and port.
providers:
plugin:
vault:
url: "http://127.0.0.1:8200"
[providers.plugin.vault]
url = "http://127.0.0.1:8200"
token
(deprecated)¶
Deprecated, Default=""
Defines the token to authenticate with Vault.
Deprecated
This option is deprecated, please use auth.token
instead.
certificatesResolvers:
resolverName:
vault:
token: "s.CUDDqqjiIFXF60KVSeJOxeb5"
[certificatesResolvers.resolverName.vault]
token = "s.CUDDqqjiIFXF60KVSeJOxeb5"
enginePath
¶
Optional, Default="secret"
Defines the path under which the KV secret engine is enabled.
Vault Namespaces
If using Vault Namespaces, simply prefix the engine path
with the name of the namespace. If using the engine path secret
under the default
namespace, set
default/secret
as the engine path.
providers:
plugin:
vault:
enginePath: "secret"
[providers.plugin.vault]
enginePath = "secret"
providers:
plugin:
vault:
enginePath: "secret"
syncInterval
¶
Optional, Default="5s"
Defines the interval at which the Vault provider looks for new or deleted TLS certificates.
providers:
plugin:
vault:
syncInterval: "5s"
[providers.plugin.vault]
syncInterval = "5s"
rescanInterval
¶
Optional, Default="60s"
Defines the interval at which the Vault provider performs a full rescan of all TLS certificates to check for updates.
Rescanning with Many Certificates
This operation performs at least one request per certificate stored in Vault. If there are many certificates, this interval may need to be increased to reduce load on Vault.
providers:
plugin:
vault:
rescanInterval: "60s"
[providers.plugin.vault]
rescanInterval = "60s"
auth.token
¶
Optional(one of auth.token
or auth.appRole
must be set), Default=""
Defines the token to authenticate with Vault.
providers:
plugin:
vault:
auth:
token: "s.CUDDqqjiIFXF60KVSeJOxeb5"
[providers.plugin.vault.auth]
token = "s.CUDDqqjiIFXF60KVSeJOxeb5"
auth.appRole
¶
Optional(one of auth.token
or auth.appRole
must be set), Default=None
Enables the AppRole authentication method. See auth.appRole.*
options to see what needs to be provided.
auth.appRole.roleID
¶
Required, Default=""
Defines the ID of the role to use when authenticating to Vault with AppRole.
providers:
plugin:
vault:
auth:
appRole:
roleID: "4cf1dc0d-f431-f76d-42fd-ed1264f0b893"
[providers.plugin.vault.auth.appRole]
roleID = "4cf1dc0d-f431-f76d-42fd-ed1264f0b893"
auth.appRole.secretID
¶
Required, Default=""
Defines the ID of the secret to use when authenticating to Vault with AppRole.
providers:
plugin:
vault:
auth:
appRole:
secretID: "63cffb45-b404-18c4-cdbb-af723aaef1e7"
[providers.plugin.vault.auth.appRole]
secretID = "63cffb45-b404-18c4-cdbb-af723aaef1e7"
auth.appRole.path
¶
Optional, Default="approle"
Defines the path under which the AppRole authentication method is enabled in Vault.
providers:
plugin:
vault:
auth:
appRole:
path: "customAppRolePath"
[providers.plugin.vault.auth.appRole]
path = "customAppRolePath"