Vault + Kubernetes Examples for EVOSPIKENET_DATA_ENCRYPTION_KEY

[!NOTE] 最新の実装状況は 機能実装ステータス (Remaining Functionality) を参照してください。

This page provides minimal examples to inject EVOSPIKENET_DATA_ENCRYPTION_KEY into Pods.

1) Vault Agent sidecar approach - Use vault-agent or vault-agent-injector to render secrets to filesystem or env. - See k8s/vault-agent-example.yaml for a minimal ConfigMap + Deployment snippet.

2) ExternalSecrets (external-secrets operator) - Configure SecretStore pointing to your backend (Vault, AWS Secrets Manager). - Create an ExternalSecret mapping the remote secret to a Kubernetes Secret. - See k8s/external-secrets-example.yaml for a template.

Notes - Replace paths and mount points according to your security policy. - Use RBAC to restrict ServiceAccount permissions for Vault auth role. - For EKS/GKE, prefer IAM/WorkloadIdentity bindings rather than static tokens.

Operational checklist - Ensure secret rotation plan and monitoring are in place. - Limit access to the K8s Secret and mounted files (file mode 0600). - Use readOnlyRootFilesystem and non-root container user where possible.