example basic secret injection

2025-06-06 17:01:30 +00:00 · 2020-03-02 22:00:58 +00:00 · 2020-03-02 22:00:58 +00:00 · 2415cb33b2
commit 2415cb33b2
parent 428fc51e76
7 changed files with 151 additions and 139 deletions
--- a/hashicorp/readme.md
+++ b/hashicorp/readme.md
@ -1,57 +1,101 @@
-# Hashicorp Vault Guide
+# Hashicorp Vault Guide
-
+
-# Vault
+# Vault
-
+
-For this tutorial, I use Kuberentes 1.17
+For this tutorial, I use Kuberentes 1.17
-It's critical because we'll need certain [admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) enabled.
+It's critical because we'll need certain [admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) enabled.
-
+
-To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup.
+To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup.
-
+
-```
+```
-kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
+kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
-```
+
-
+#Linux
-## TLS End to End Encryption
+kind create cluster --name vault --kubeconfig ~/.kube/kind-vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
-
+```
-See steps in `hashicorp/vault/tls/ssl_generate_self_signed.txt`
+
-You'll need to generate TLS certs (or bring your own)
+## TLS End to End Encryption
-Create base64 strings from the files, place it in the `server-tls-secret.yaml` and apply it.
+
-Remember not to check-in your TLS to GIT :)
+VIDEO: <Coming-Soon>
-
+See steps in `hashicorp/vault/tls/ssl_generate_self_signed.txt`
-## Deployment
+You'll need to generate TLS certs (or bring your own)
-
+Create base64 strings from the files, place it in the `server-tls-secret.yaml` and apply it.
-```
+Remember not to check-in your TLS to GIT :)
-kubectl create ns vault-example
+
-kubectl -n vault-example apply -f .\hashicorp\vault\server\
+## Deployment
-```
+
-
+```
-## Storage
+kubectl create ns vault-example
-
+kubectl -n vault-example apply -f ./hashicorp/vault/server/
-```
+```
-kubectl -n vault-example get pvc
+
-```
+## Storage
-ensure vault-claim is bound, if not, `kubectl -n vault-example describe pvc vault-claim`
+
-ensure correct storage class is used for your cluster.
+```
-if you need to change the storage class, deleve the pvc , edit YAML and re-apply
+kubectl -n vault-example get pvc
-
+```
-## Initialising Vault
+ensure vault-claim is bound, if not, `kubectl -n vault-example describe pvc vault-claim`
-
+ensure correct storage class is used for your cluster.
-```
+if you need to change the storage class, deleve the pvc , edit YAML and re-apply
-kubectl -n vault-example exec -it vault-example-0 vault operator init
+
-kubectl -n vault-example exec -it vault-example-0 vault operator unseal
+## Initialising Vault
-```
+
-
+```
-## Depploy the Injector
+kubectl -n vault-example exec -it vault-example-0 vault operator init
-
+#unseal 3 times
-Injector allows pods to automatically get secrets from the vault.
+kubectl -n vault-example exec -it vault-example-0 vault operator unseal
-
+```
-```
+
-kubectl -n vault-example apply -f .\hashicorp\vault\injector\
+## Depploy the Injector
-```
+
-
+VIDEO: <Coming-Soon>
-
+
-
+Injector allows pods to automatically get secrets from the vault.
-
+
-
+```
-
+kubectl -n vault-example apply -f ./hashicorp/vault/injector\
-
+```
 ## Injector Kubernetes Auth Policy
 For the injector to be authorised to access vault, we need to enable K8s auth
 ```
 kubectl -n vault-example exec -it vault-example-0 vault login
 kubectl -n vault-example exec -it vault-example-0 vault auth enable kubernetes
 kubectl -n vault-example exec -it vault-example-0 sh
 vault write auth/kubernetes/config \
 token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
 kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
 kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 ```
 # Summary
 So we have a vault, an injector, TLS end to end, stateful storage.
 The injector can now inject secrets for pods from the vault.
 Now we are ready to use the platform for different types of secrets:
 ## Secret Injection Guides
 I've broken this down into basic guides to avoid this document from becoming too large.
 ### Basic Secrets
 Objective:
 ---------- 
 * Let's create a basic secret in vault manually
 * Application consumes the secret automatically
 [Try it](./vault/example-apps/basic-secret/readme.md)
--- a/hashicorp/vault/example-app/deployment.yaml
+++ b/hashicorp/vault/example-app/deployment.yaml
@ -1,27 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: app
  labels:
    app: vault-agent-demo
 spec:
  selector:
    matchLabels:
      app: vault-agent-demo
  replicas: 1
  template:
    metadata:
      labels:
        app: vault-agent-demo
    spec:
      serviceAccountName: app
      containers:
      - name: app
        image: jweissig/app:0.0.1
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: app
  labels:
    app: vault-agent-demo
--- a/hashicorp/vault/example-apps/basic-secret/deployment.yaml
+++ b/hashicorp/vault/example-apps/basic-secret/deployment.yaml
@ -1,32 +1,32 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: app
+  name: basic-secret
  labels:
-    app: vault-agent-demo
+    app: basic-secret
 spec:
  selector:
    matchLabels:
-      app: vault-agent-demo
+      app: basic-secret
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/tls-skip-verify: "true"
-        vault.hashicorp.com/agent-inject-secret-helloworld: "secret/helloworld"
+        vault.hashicorp.com/agent-inject-secret-helloworld: "secret/basic-secret/helloworld"
        vault.hashicorp.com/agent-inject-template-helloworld: |
-          {{- with secret "secret/helloworld" -}}
+          {{- with secret "secret/basic-secret/helloworld" -}}
          {
            "username" : "{{ .Data.username }}",
            "password" : "{{ .Data.password }}"
          }
          {{- end }}
-        vault.hashicorp.com/role: "myapp"
+        vault.hashicorp.com/role: "basic-secret-role"
      labels:
-        app: vault-agent-demo
+        app: basic-secret
    spec:
-      serviceAccountName: app
+      serviceAccountName: basic-secret
      containers:
      - name: app
        image: jweissig/app:0.0.1
@ -36,4 +36,4 @@ kind: ServiceAccount
 metadata:
  name: app
  labels:
-    app: vault-agent-demo
+    app: basic-secret
--- a/hashicorp/vault/example-apps/readme.md
+++ b/hashicorp/vault/example-apps/readme.md
@ -0,0 +1,41 @@
 # Basic Secret Injection
 In order for us to start using secrets in vault, we need to setup a policy.
 ```
 #Create a role for our app
 kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \
   bound_service_account_names=basic-secret \
   bound_service_account_namespaces=vault-example \
   policies=basic-secret-policy \
   ttl=1h
 ```
 The above maps our Kubernetes service account, used by our pod, to a policy.
 Now lets create the policy to map our service account to a bunch of secrets
 ```
 kubectl -n vault-example exec -it vault-example-0 sh
 cat <<EOF > /home/vault/app-policy.hcl
 path "secret/basic-secret/*" {
  capabilities = ["read"]
 }
 EOF
 vault policy write basic-secret-policy /home/vault/app-policy.hcl
 exit
 ```
 Now our service account for our pod can access all secrets under `secret/basic-secret/*`
 Lets create some secrets.
 ```
 kubectl -n vault-example exec -it vault-example-0 sh 
 vault secrets enable -path=secret/ kv
 vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd
 exit
 ```
--- a/hashicorp/vault/policies/app-policy.md
+++ b/hashicorp/vault/policies/app-policy.md
@ -1,15 +0,0 @@
 # Create an App policy
 ```
 kubectl -n vault-example exec -it vault-example-0 sh
 cat <<EOF > /home/vault/app-policy.hcl
 path "secret*" {
  capabilities = ["read"]
 }
 EOF
 vault login
 vault policy write app /home/vault/app-policy.hcl
 ```
--- a/hashicorp/vault/policies/example-secret.md
+++ b/hashicorp/vault/policies/example-secret.md
@ -1,11 +0,0 @@
 # Create example secret
 ```
 kubectl -n vault-example exec -it vault-example-0 sh
 vault login
 vault secrets enable -path=secret/ kv
 vault kv put secret/helloworld username=foobaruser password=foobarbazpass
 ```
--- a/hashicorp/vault/policies/vault-enable-auth-k8s.md
+++ b/hashicorp/vault/policies/vault-enable-auth-k8s.md
@ -1,20 +0,0 @@
 # Enable Kubernetes Vault Auth
 ```
 kubectl -n vault-example exec -it vault-example-0 sh
 vault login
 vault auth enable kubernetes
 vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 vault write auth/kubernetes/role/myapp \
   bound_service_account_names=app \
   bound_service_account_namespaces=vault-example \
   policies=app \
   ttl=1h
 ```