1- install vault chart: https://github.com/helm/charts/tree/master/incubator/vault intiailise and unseal
helm install incubator/vault -f values.yaml --name vault-helm-release-name
kubectl exec -it vault-pod-name sh
export VAULT_ADDR=http://localhost:8200
vault operator init
vault operator unseal
x3 times (each with different unseal key)
ref: https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault
1.1 login: vault login <root token>
ref: https://www.vaultproject.io/docs/commands/login.html
2- enable vault kubernetes backend
inside vaults pod (or port forward):
vault write auth/kubernetes/config kubernetes_host="$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT" \
kubernetes_ca_cert="@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
vault secrets enable -path=secret/ kv
vault kv enable-versioning secret/
# Create Vault policy for testing
vault policy write spring_app_policy -<<EOF
path "secret/spring_app/*" {
capabilities = ["create", "read"]
}
EOF
# create a vault role for the app
vault write auth/kubernetes/role/spring_app bound_service_account_names=vault-auth bound_service_account_namespaces=qa policies=spring_app_policy ttl=1h
# populate some secrets
vault kv put secret/spring_app/dbPass pass=bar
vault kv list secret/spring_app
3- create vault-auth service account
kubectl apply -f sa.yaml
sa.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: qa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: qa
4- use the service account in your pod specs:
serviceAccount: "vault-auth"
serviceAccountName: "vault-auth"
5- app specifics now apps can exchange the service account token for a vault token in spring boot cloud vault, see: https://cloud.spring.io/spring-cloud-vault/single/spring-cloud-vault.html#vault.config.authentication.kubernetes
or using api:
# get the jwt token from the pod running with that service account and
curl --request POST --data '{"jwt": "eyJhbGciO...", "role": "spring_app"}' \
# the ip of the vault pod/service, other pods can use the service
http://127.0.0.1:8200/v1/auth/kubernetes/login
refs: