Created
August 13, 2019 19:30
-
-
Save malnick/51bbeeed2abb4ec84f6f28ad68c59e60 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This script configures vault and vault agent on kubernetes for | |
# testing consult-template as a side-car injection pattern for | |
# making secrets available to processes inside a container on k8s. | |
# | |
# Once this script has ran, vault-agent can be configured to talk to | |
# vault using the k8s service account. A vault agent config example: | |
# | |
# exit_after_auth = true | |
# pid_file = "/home/vault/pidfile" | |
# | |
# auto_auth { | |
# method "kubernetes" { | |
# mount_path = "auth/kubernetes" | |
# config = { | |
# role = "example" | |
# } | |
# } | |
# | |
# sink "file" { | |
# config = { | |
# path = "/home/vault/.vault-token" | |
# } | |
# } | |
# } | |
# | |
# The vault agent can run as an init container and drop the initial | |
# token to a path that can be picked up by consul-template, and from | |
# there, consult-template can renew the token as needed. | |
# | |
# An example consul-template configuration to leverage this: | |
# vault { | |
# renew_token = false | |
# vault_agent_token_file = "/home/vault/.vault-token" | |
# retry { | |
# backoff = "1s" | |
# } | |
# } | |
# | |
# # template config using https://github.com/hashicorp/consul-template#secret | |
# | |
# template { | |
# error_on_missing_key = true | |
# destination = "/mnt/vault/secrets" | |
# } | |
set -eo | |
# kubectl_exec wraps kubectl exec'ing vault inside the | |
# vault container on k8s | |
function kubectl_exec () { | |
echo $1 | |
kubectl exec -it vault-0 -- $1 | |
} | |
# unseal vault and login | |
kubectl_exec 'vault operator init -n 1 -t 1' | |
kubectl_exec 'vault operator unseal' | |
kubectl_exec 'vault login' | |
# write policy for accessing secret | |
cat <<EOF > /tmp/policy | |
path "secret/data/exampleapp/*" { | |
capabilities = ["create", "read", "update", "delete", "list"] | |
} | |
EOF | |
kubectl cp /tmp/policy default/vault-0:/tmp/policy | |
kubectl exec -it vault-0 -- vault policy write exampleapp-kv $(cat /tmp/policy) | |
export VAULT_SA_NAME=$(kubectl get sa vault -o jsonpath="{.secrets[*]['name']}") | |
export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo) | |
export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo) | |
export K8S_HOST=$(minikube ip) | |
kubectl_exec 'vault auth enable kubernetes' | |
kubectl exec -it vault-0 -- vault write auth/kubernetes/config \ | |
token_reviewer_jwt="$SA_JWT_TOKEN" \ | |
kubernetes_host="https://$K8S_HOST:8443" \ | |
kubernetes_ca_cert="$SA_CA_CRT" | |
# Create a role named, 'exampleapp-role' to map Kubernetes Service Account to | |
# Vault policies and default token TTL | |
kubectl exec -it vault-0 -- vault write auth/kubernetes/role/exampleapp-role \ | |
bound_service_account_names="default" \ | |
bound_service_account_namespaces="default" \ | |
policies="default,exampleapp-kv" \ | |
ttl="15m" | |
# create our secret | |
kubectl exec -it vault-0 -- vault kv put secret/data/exampleapp/config \ | |
ttl="30s" \ | |
username="exampleapp" \ | |
password="osc0nisinportland" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment