Skip to content

Instantly share code, notes, and snippets.

@malnick

malnick/config-k8s-auth.sh

Created August 13, 2019 19:30
Show Gist options
  • Save malnick/51bbeeed2abb4ec84f6f28ad68c59e60 to your computer and use it in GitHub Desktop.
Save malnick/51bbeeed2abb4ec84f6f28ad68c59e60 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
config-k8s-auth.sh
#!/bin/bash
# This script configures vault and vault agent on kubernetes for
# testing consult-template as a side-car injection pattern for
# making secrets available to processes inside a container on k8s.
#
# Once this script has ran, vault-agent can be configured to talk to
# vault using the k8s service account. A vault agent config example:
#
# exit_after_auth = true
# pid_file = "/home/vault/pidfile"
#
# auto_auth {
# method "kubernetes" {
# mount_path = "auth/kubernetes"
# config = {
# role = "example"
# }
# }
#
# sink "file" {
# config = {
# path = "/home/vault/.vault-token"
# }
# }
# }
#
# The vault agent can run as an init container and drop the initial
# token to a path that can be picked up by consul-template, and from
# there, consult-template can renew the token as needed.
#
# An example consul-template configuration to leverage this:
# vault {
# renew_token = false
# vault_agent_token_file = "/home/vault/.vault-token"
# retry {
# backoff = "1s"
# }
# }
#
# # template config using https://github.com/hashicorp/consul-template#secret
#
# template {
# error_on_missing_key = true
# destination = "/mnt/vault/secrets"
# }
set -eo
# kubectl_exec wraps kubectl exec'ing vault inside the
# vault container on k8s
function kubectl_exec () {
echo $1
kubectl exec -it vault-0 -- $1
}
# unseal vault and login
kubectl_exec 'vault operator init -n 1 -t 1'
kubectl_exec 'vault operator unseal'
kubectl_exec 'vault login'
# write policy for accessing secret
cat <<EOF > /tmp/policy
path "secret/data/exampleapp/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
kubectl cp /tmp/policy default/vault-0:/tmp/policy
kubectl exec -it vault-0 -- vault policy write exampleapp-kv $(cat /tmp/policy)
export VAULT_SA_NAME=$(kubectl get sa vault -o jsonpath="{.secrets[*]['name']}")
export SA_JWT_TOKEN=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data.token}" | base64 --decode; echo)
export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)
export K8S_HOST=$(minikube ip)
kubectl_exec 'vault auth enable kubernetes'
kubectl exec -it vault-0 -- vault write auth/kubernetes/config \
token_reviewer_jwt="$SA_JWT_TOKEN" \
kubernetes_host="https://$K8S_HOST:8443" \
kubernetes_ca_cert="$SA_CA_CRT"
# Create a role named, 'exampleapp-role' to map Kubernetes Service Account to
# Vault policies and default token TTL
kubectl exec -it vault-0 -- vault write auth/kubernetes/role/exampleapp-role \
bound_service_account_names="default" \
bound_service_account_namespaces="default" \
policies="default,exampleapp-kv" \
ttl="15m"
# create our secret
kubectl exec -it vault-0 -- vault kv put secret/data/exampleapp/config \
ttl="30s" \
username="exampleapp" \
password="osc0nisinportland"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment