Skip to content

Instantly share code, notes, and snippets.

@blabadi

blabadi/vault-k8s.md

Last active June 19, 2019 23:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save blabadi/34c67fd928d491c62c43854ae327541d to your computer and use it in GitHub Desktop.
Save blabadi/34c67fd928d491c62c43854ae327541d to your computer and use it in GitHub Desktop.
Download ZIP
setup kubernetes vault in
Raw
vault-k8s.md

1- install vault chart: https://github.com/helm/charts/tree/master/incubator/vault intiailise and unseal

helm install incubator/vault -f values.yaml --name vault-helm-release-name

kubectl exec -it vault-pod-name sh

export VAULT_ADDR=http://localhost:8200

vault operator init

vault operator unseal x3 times (each with different unseal key)

ref: https://learn.hashicorp.com/vault/getting-started/deploy#initializing-the-vault

1.1 login: vault login <root token> ref: https://www.vaultproject.io/docs/commands/login.html

2- enable vault kubernetes backend

inside vaults pod (or port forward):

vault write auth/kubernetes/config kubernetes_host="$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT" \
    kubernetes_ca_cert="@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
    
vault secrets enable -path=secret/ kv
vault kv enable-versioning secret/

# Create Vault policy for testing 
vault policy write spring_app_policy -<<EOF
path "secret/spring_app/*" {
    capabilities = ["create", "read"]
}
EOF

# create a vault role for the app
vault write auth/kubernetes/role/spring_app bound_service_account_names=vault-auth bound_service_account_namespaces=qa policies=spring_app_policy ttl=1h

# populate some secrets
vault kv put secret/spring_app/dbPass pass=bar
vault kv list secret/spring_app

3- create vault-auth service account kubectl apply -f sa.yaml

sa.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-auth

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: qa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-auth
  namespace: qa

4- use the service account in your pod specs:

serviceAccount: "vault-auth"
serviceAccountName: "vault-auth"

5- app specifics now apps can exchange the service account token for a vault token in spring boot cloud vault, see: https://cloud.spring.io/spring-cloud-vault/single/spring-cloud-vault.html#vault.config.authentication.kubernetes

or using api:

# get the jwt token from the pod running with that service account and 
curl --request POST --data '{"jwt": "eyJhbGciO...", "role": "spring_app"}' \
    # the ip of the vault pod/service, other pods can use the service
    http://127.0.0.1:8200/v1/auth/kubernetes/login

refs:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment