BoltMCP Installation Docs

External Secrets Operator

Sync BoltMCP's application Secrets from HashiCorp Vault (or a cloud secrets manager) using the External Secrets Operator.

This page expands on the Alternatives noted in Cluster Prep. It shows how to populate BoltMCP's three application Secrets (boltmcp-database, boltmcp-oidc, boltmcp-auth) from an external secrets manager instead of creating them manually with kubectl.

If your organisation already stores secrets in Vault (or AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, 1Password), the External Secrets Operator syncs them into Kubernetes Secret resources for the chart to read.

One-time cluster setup — install ESO and create a ClusterSecretStore pointing at your Vault:

cluster-secret-store-vault.yaml
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "boltmcp-eso"
          serviceAccountRef:
            name: "external-secrets"
            namespace: "external-secrets"
kubectl apply -f cluster-secret-store-vault.yaml

Per-release setup — populate the three Vault entries (secret/boltmcp/database, secret/boltmcp/oidc, secret/boltmcp/auth) with the key names listed in Cluster Prep (secret/boltmcp/oidc carries all five client secrets), then apply three ExternalSecret resources. Here's the database one as a worked example:

external-secret-database.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: boltmcp-database
  namespace: boltmcp
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: boltmcp-database
    creationPolicy: Owner
  data:
    - secretKey: superuser-password
      remoteRef: { key: boltmcp/database, property: superuser-password }
    - secretKey: migrate-core-password
      remoteRef: { key: boltmcp/database, property: migrate-core-password }
    - secretKey: web-password
      remoteRef: { key: boltmcp/database, property: web-password }
    - secretKey: rest-api-password
      remoteRef: { key: boltmcp/database, property: rest-api-password }
    - secretKey: mcp-server-password
      remoteRef: { key: boltmcp/database, property: mcp-server-password }
    - secretKey: keycloak-password
      remoteRef: { key: boltmcp/database, property: keycloak-password }
    - secretKey: vault-password
      remoteRef: { key: boltmcp/database, property: vault-password }

Full manifests for all three Secrets (database, OIDC, auth) live at charts/boltmcp/examples/secrets/external-secrets-vault.yaml. Wait for kubectl get externalsecret -n boltmcp to show STATUS=SecretSynced for all three before installing the chart.

For AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault, swap only the provider block in the ClusterSecretStore — the ExternalSecret manifests stay the same.