Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. HashiCorp
  5. HCVA0-003

Free HashiCorp HCVA0-003 Exam Questions (page: 3)

Page 3 of 73
PDF with 285 Questions

How does the Vault Secrets Operator (VSO) assist in integrating Kubernetes-based workloads with Vault?

  1. By enabling a local API endpoint to allow the workload to make requests directly from the VSO
  2. By using client-side caching for KVv1 and KVv2 secrets engines
  3. By injecting a Vault Agent directly into the pod requesting secrets from Vault
  4. By watching for changes to its supported set of Custom Resource Definitions (CRD)

Answer(s): D

Explanation:

Comprehensive and Detailed in Depth
The Vault Secrets Operator (VSO) integrates Kubernetes workloads with Vault by syncing secrets.
Let's evaluate:
A: VSO doesn't create a local API endpoint for direct requests; it syncs secrets to Kubernetes Secrets.
Incorrect.
B: Client-side caching is a Vault Agent feature, not VSO's primary function. VSO can use caching, but it's not the main integration method. Incorrect.
C: VSO doesn't inject Vault Agents; that's a separate Vault Agent Sidecar approach. Incorrect.
D: VSO watches Custom Resource Definitions (CRDs) to sync Vault secrets to Kubernetes Secrets dynamically. This is its core mechanism. Correct.
Overall Explanation from Vault Docs:
"VSO operates by watching for changes to its supported set of CRDs... It synchronizes secrets from Vault to Kubernetes Secrets, ensuring applications access them natively."


Reference:

https://developer.hashicorp.com/vault/docs/platform/k8s/vso



By default, what TCP port does Vault replication use?

  1. tcp/8200
  2. tcp/8300
  3. tcp/8201
  4. tcp/8301

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
Vault replication ensures data consistency across clusters, using a specific port:

A: 8200 - Default HTTP API port, not replication.
B: 8300 - Raft protocol port, not replication.
C: 8201 - Default replication port. Correct.
D: 8301 - Serf protocol port, not replication.
Overall Explanation from Vault Docs:
"Replication occurs on TCP port 8201 by default... distinct from the API (8200) and Raft (8300) ports."


Reference:

https://developer.hashicorp.com/vault/tutorials/day-one-raft/raft-reference- architecture#network-connectivity



What is the proper command to enable the AWS secrets engine at the default path?

  1. vault enable aws secrets engine
  2. vault secrets enable aws
  3. vault secrets aws enable
  4. vault enable secrets aws

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
Enabling a secrets engine in Vault follows a specific syntax:
A: Incorrect syntax; jumbled order.
B: Correct: vault secrets enable <type> enables the AWS engine at aws/. Correct.
C: Incorrect word order.
D: Incorrect syntax.
Overall Explanation from Vault Docs:
"The command vault secrets enable <type> enables a secrets engine at its default path (e.g., aws/ for AWS)."


Reference:

https://developer.hashicorp.com/vault/docs/commands/secrets



In regards to the Transit secrets engine, which of the following is true given the following command and output (select three):
$ vault write encryption/encrypt/creditcard plaintext=$(base64 <<< "1234 5678 9101 1121") Key: ciphertext Value:
vault:v3:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=

  1. The Transit secrets engine is mounted at the encryption path
  2. The name of the keyring used to encrypt the data is creditcard
  3. There are at least three data keys associated with this keyring
  4. The data was written to the encryption path, which is provided by default when enabling the Transit secrets engine

Answer(s): A,B,C

Explanation:

Comprehensive and Detailed in Depth
A: The command uses encryption/encrypt/creditcard, indicating the Transit engine is mounted at encryption/. Correct.
B: The endpoint creditcard specifies the key name used for encryption. Correct.
C: The output vault:v3: shows key version 3, implying at least three versions (v1, v2, v3) after rotations. Correct.
D: The default path for Transit is transit/, not encryption/. This is a custom mount, not default.
Incorrect.

Overall Explanation from Vault Docs:
"The Transit engine encrypts data at a specified key name... Key versions (e.g., v3) indicate rotations."


Reference:

https://developer.hashicorp.com/vault/docs/secrets/transit



Viewing page 3 of 73
Viewing questions 11 - 15 out of 285 questions



Post your Comments and Discuss HashiCorp HCVA0-003 exam prep with other Community members:

HCVA0-003 Exam Discussions & Posts