diff --git a/hashicorp/readme.md b/hashicorp/readme.md index 49e3fe1..afee566 100644 --- a/hashicorp/readme.md +++ b/hashicorp/readme.md @@ -1,57 +1,101 @@ -# Hashicorp Vault Guide - -# Vault - -For this tutorial, I use Kuberentes 1.17 -It's critical because we'll need certain [admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) enabled. - -To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup. - -``` -kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62 -``` - -## TLS End to End Encryption - -See steps in `hashicorp/vault/tls/ssl_generate_self_signed.txt` -You'll need to generate TLS certs (or bring your own) -Create base64 strings from the files, place it in the `server-tls-secret.yaml` and apply it. -Remember not to check-in your TLS to GIT :) - -## Deployment - -``` -kubectl create ns vault-example -kubectl -n vault-example apply -f .\hashicorp\vault\server\ -``` - -## Storage - -``` -kubectl -n vault-example get pvc -``` -ensure vault-claim is bound, if not, `kubectl -n vault-example describe pvc vault-claim` -ensure correct storage class is used for your cluster. -if you need to change the storage class, deleve the pvc , edit YAML and re-apply - -## Initialising Vault - -``` -kubectl -n vault-example exec -it vault-example-0 vault operator init -kubectl -n vault-example exec -it vault-example-0 vault operator unseal -``` - -## Depploy the Injector - -Injector allows pods to automatically get secrets from the vault. - -``` -kubectl -n vault-example apply -f .\hashicorp\vault\injector\ -``` - - - - - - - +# Hashicorp Vault Guide + +# Vault + +For this tutorial, I use Kuberentes 1.17 +It's critical because we'll need certain [admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) enabled. + +To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup. + +``` +kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62 + +#Linux +kind create cluster --name vault --kubeconfig ~/.kube/kind-vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62 +``` + +## TLS End to End Encryption + +VIDEO: +See steps in `hashicorp/vault/tls/ssl_generate_self_signed.txt` +You'll need to generate TLS certs (or bring your own) +Create base64 strings from the files, place it in the `server-tls-secret.yaml` and apply it. +Remember not to check-in your TLS to GIT :) + +## Deployment + +``` +kubectl create ns vault-example +kubectl -n vault-example apply -f ./hashicorp/vault/server/ +``` + +## Storage + +``` +kubectl -n vault-example get pvc +``` +ensure vault-claim is bound, if not, `kubectl -n vault-example describe pvc vault-claim` +ensure correct storage class is used for your cluster. +if you need to change the storage class, deleve the pvc , edit YAML and re-apply + +## Initialising Vault + +``` +kubectl -n vault-example exec -it vault-example-0 vault operator init +#unseal 3 times +kubectl -n vault-example exec -it vault-example-0 vault operator unseal +``` + +## Depploy the Injector + +VIDEO: + +Injector allows pods to automatically get secrets from the vault. + +``` +kubectl -n vault-example apply -f ./hashicorp/vault/injector\ +``` + +## Injector Kubernetes Auth Policy + +For the injector to be authorised to access vault, we need to enable K8s auth + +``` +kubectl -n vault-example exec -it vault-example-0 vault login +kubectl -n vault-example exec -it vault-example-0 vault auth enable kubernetes + + +kubectl -n vault-example exec -it vault-example-0 sh +vault write auth/kubernetes/config \ +token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ +kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ +kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + +``` + +# Summary + +So we have a vault, an injector, TLS end to end, stateful storage. +The injector can now inject secrets for pods from the vault. + +Now we are ready to use the platform for different types of secrets: + +## Secret Injection Guides + +I've broken this down into basic guides to avoid this document from becoming too large. + +### Basic Secrets + +Objective: +---------- +* Let's create a basic secret in vault manually +* Application consumes the secret automatically + +[Try it](./vault/example-apps/basic-secret/readme.md) + + + + + + + diff --git a/hashicorp/vault/example-app/deployment.yaml b/hashicorp/vault/example-app/deployment.yaml deleted file mode 100644 index 01a480e..0000000 --- a/hashicorp/vault/example-app/deployment.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: app - labels: - app: vault-agent-demo -spec: - selector: - matchLabels: - app: vault-agent-demo - replicas: 1 - template: - metadata: - labels: - app: vault-agent-demo - spec: - serviceAccountName: app - containers: - - name: app - image: jweissig/app:0.0.1 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: app - labels: - app: vault-agent-demo \ No newline at end of file diff --git a/hashicorp/vault/example-app/patch.yaml b/hashicorp/vault/example-apps/basic-secret/deployment.yaml similarity index 67% rename from hashicorp/vault/example-app/patch.yaml rename to hashicorp/vault/example-apps/basic-secret/deployment.yaml index b2679e1..b4affd0 100644 --- a/hashicorp/vault/example-app/patch.yaml +++ b/hashicorp/vault/example-apps/basic-secret/deployment.yaml @@ -1,32 +1,32 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: app + name: basic-secret labels: - app: vault-agent-demo + app: basic-secret spec: selector: matchLabels: - app: vault-agent-demo + app: basic-secret replicas: 1 template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/tls-skip-verify: "true" - vault.hashicorp.com/agent-inject-secret-helloworld: "secret/helloworld" + vault.hashicorp.com/agent-inject-secret-helloworld: "secret/basic-secret/helloworld" vault.hashicorp.com/agent-inject-template-helloworld: | - {{- with secret "secret/helloworld" -}} + {{- with secret "secret/basic-secret/helloworld" -}} { "username" : "{{ .Data.username }}", "password" : "{{ .Data.password }}" } {{- end }} - vault.hashicorp.com/role: "myapp" + vault.hashicorp.com/role: "basic-secret-role" labels: - app: vault-agent-demo + app: basic-secret spec: - serviceAccountName: app + serviceAccountName: basic-secret containers: - name: app image: jweissig/app:0.0.1 @@ -36,4 +36,4 @@ kind: ServiceAccount metadata: name: app labels: - app: vault-agent-demo \ No newline at end of file + app: basic-secret \ No newline at end of file diff --git a/hashicorp/vault/example-apps/readme.md b/hashicorp/vault/example-apps/readme.md new file mode 100644 index 0000000..91e7795 --- /dev/null +++ b/hashicorp/vault/example-apps/readme.md @@ -0,0 +1,41 @@ +# Basic Secret Injection + + +In order for us to start using secrets in vault, we need to setup a policy. + + +``` +#Create a role for our app + +kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \ + bound_service_account_names=basic-secret \ + bound_service_account_namespaces=vault-example \ + policies=basic-secret-policy \ + ttl=1h +``` + +The above maps our Kubernetes service account, used by our pod, to a policy. +Now lets create the policy to map our service account to a bunch of secrets + + +``` +kubectl -n vault-example exec -it vault-example-0 sh +cat < /home/vault/app-policy.hcl +path "secret/basic-secret/*" { + capabilities = ["read"] +} +EOF +vault policy write basic-secret-policy /home/vault/app-policy.hcl +exit +``` + +Now our service account for our pod can access all secrets under `secret/basic-secret/*` +Lets create some secrets. + + +``` +kubectl -n vault-example exec -it vault-example-0 sh +vault secrets enable -path=secret/ kv +vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd +exit +``` \ No newline at end of file diff --git a/hashicorp/vault/policies/app-policy.md b/hashicorp/vault/policies/app-policy.md deleted file mode 100644 index 920a593..0000000 --- a/hashicorp/vault/policies/app-policy.md +++ /dev/null @@ -1,15 +0,0 @@ -# Create an App policy - -``` -kubectl -n vault-example exec -it vault-example-0 sh - -cat < /home/vault/app-policy.hcl -path "secret*" { - capabilities = ["read"] -} -EOF - -vault login -vault policy write app /home/vault/app-policy.hcl - -``` \ No newline at end of file diff --git a/hashicorp/vault/policies/example-secret.md b/hashicorp/vault/policies/example-secret.md deleted file mode 100644 index cee711e..0000000 --- a/hashicorp/vault/policies/example-secret.md +++ /dev/null @@ -1,11 +0,0 @@ -# Create example secret - -``` -kubectl -n vault-example exec -it vault-example-0 sh - -vault login - -vault secrets enable -path=secret/ kv -vault kv put secret/helloworld username=foobaruser password=foobarbazpass - -``` \ No newline at end of file diff --git a/hashicorp/vault/policies/vault-enable-auth-k8s.md b/hashicorp/vault/policies/vault-enable-auth-k8s.md deleted file mode 100644 index 7afc45a..0000000 --- a/hashicorp/vault/policies/vault-enable-auth-k8s.md +++ /dev/null @@ -1,20 +0,0 @@ -# Enable Kubernetes Vault Auth - -``` -kubectl -n vault-example exec -it vault-example-0 sh - -vault login -vault auth enable kubernetes - -vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - -vault write auth/kubernetes/role/myapp \ - bound_service_account_names=app \ - bound_service_account_namespaces=vault-example \ - policies=app \ - ttl=1h - -``` \ No newline at end of file