example basic secret injection

2025-06-06 17:01:30 +00:00 · 2020-03-02 22:00:58 +00:00 · 2020-03-02 22:00:58 +00:00 · 2415cb33b2
commit 2415cb33b2
parent 428fc51e76
7 changed files with 151 additions and 139 deletions
--- a/hashicorp/readme.md
+++ b/hashicorp/readme.md
@ -9,10 +9,14 @@ To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with

 ```
 kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
+
+#Linux
+kind create cluster --name vault --kubeconfig ~/.kube/kind-vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
 ```

 ## TLS End to End Encryption

+VIDEO: <Coming-Soon>
 See steps in `hashicorp/vault/tls/ssl_generate_self_signed.txt`
 You'll need to generate TLS certs (or bring your own)
 Create base64 strings from the files, place it in the `server-tls-secret.yaml` and apply it.
@ -22,7 +26,7 @@ Remember not to check-in your TLS to GIT :)

 ```
 kubectl create ns vault-example
-kubectl -n vault-example apply -f .\hashicorp\vault\server\
+kubectl -n vault-example apply -f ./hashicorp/vault/server/
 ```

 ## Storage
@ -38,17 +42,57 @@ if you need to change the storage class, deleve the pvc , edit YAML and re-apply

 ```
 kubectl -n vault-example exec -it vault-example-0 vault operator init
+#unseal 3 times
 kubectl -n vault-example exec -it vault-example-0 vault operator unseal
 ```

 ## Depploy the Injector

+VIDEO: <Coming-Soon>
+
 Injector allows pods to automatically get secrets from the vault.

 ```
-kubectl -n vault-example apply -f .\hashicorp\vault\injector\
+kubectl -n vault-example apply -f ./hashicorp/vault/injector\
 ```

+## Injector Kubernetes Auth Policy
+
+For the injector to be authorised to access vault, we need to enable K8s auth
+
+```
+kubectl -n vault-example exec -it vault-example-0 vault login
+kubectl -n vault-example exec -it vault-example-0 vault auth enable kubernetes
+
+
+kubectl -n vault-example exec -it vault-example-0 sh
+vault write auth/kubernetes/config \
+token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
+kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+```
+
+# Summary
+
+So we have a vault, an injector, TLS end to end, stateful storage.
+The injector can now inject secrets for pods from the vault.
+
+Now we are ready to use the platform for different types of secrets:
+
+## Secret Injection Guides
+
+I've broken this down into basic guides to avoid this document from becoming too large.
+
+### Basic Secrets
+
+Objective:
+---------- 
+* Let's create a basic secret in vault manually
+* Application consumes the secret automatically
+
+[Try it](./vault/example-apps/basic-secret/readme.md)
+



--- a/hashicorp/vault/example-app/deployment.yaml
+++ b/hashicorp/vault/example-app/deployment.yaml
@ -1,27 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: app
-  labels:
-    app: vault-agent-demo
-spec:
-  selector:
-    matchLabels:
-      app: vault-agent-demo
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: vault-agent-demo
-    spec:
-      serviceAccountName: app
-      containers:
-      - name: app
-        image: jweissig/app:0.0.1
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: app
-  labels:
-    app: vault-agent-demo
--- a/hashicorp/vault/example-apps/basic-secret/deployment.yaml
+++ b/hashicorp/vault/example-apps/basic-secret/deployment.yaml
@ -1,32 +1,32 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: app
+  name: basic-secret
  labels:
-    app: vault-agent-demo
+    app: basic-secret
 spec:
  selector:
    matchLabels:
-      app: vault-agent-demo
+      app: basic-secret
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/tls-skip-verify: "true"
-        vault.hashicorp.com/agent-inject-secret-helloworld: "secret/helloworld"
+        vault.hashicorp.com/agent-inject-secret-helloworld: "secret/basic-secret/helloworld"
        vault.hashicorp.com/agent-inject-template-helloworld: |
-          {{- with secret "secret/helloworld" -}}
+          {{- with secret "secret/basic-secret/helloworld" -}}
          {
            "username" : "{{ .Data.username }}",
            "password" : "{{ .Data.password }}"
          }
          {{- end }}
-        vault.hashicorp.com/role: "myapp"
+        vault.hashicorp.com/role: "basic-secret-role"
      labels:
-        app: vault-agent-demo
+        app: basic-secret
    spec:
-      serviceAccountName: app
+      serviceAccountName: basic-secret
      containers:
      - name: app
        image: jweissig/app:0.0.1
@ -36,4 +36,4 @@ kind: ServiceAccount
 metadata:
  name: app
  labels:
-    app: vault-agent-demo
+    app: basic-secret
--- a/hashicorp/vault/example-apps/readme.md
+++ b/hashicorp/vault/example-apps/readme.md
@ -0,0 +1,41 @@
+# Basic Secret Injection
+
+
+In order for us to start using secrets in vault, we need to setup a policy.
+
+
+```
+#Create a role for our app
+
+kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \
+   bound_service_account_names=basic-secret \
+   bound_service_account_namespaces=vault-example \
+   policies=basic-secret-policy \
+   ttl=1h
+```
+
+The above maps our Kubernetes service account, used by our pod, to a policy.
+Now lets create the policy to map our service account to a bunch of secrets
+
+
+```
+kubectl -n vault-example exec -it vault-example-0 sh
+cat <<EOF > /home/vault/app-policy.hcl
+path "secret/basic-secret/*" {
+  capabilities = ["read"]
+}
+EOF
+vault policy write basic-secret-policy /home/vault/app-policy.hcl
+exit
+```
+
+Now our service account for our pod can access all secrets under `secret/basic-secret/*`
+Lets create some secrets.
+
+
+```
+kubectl -n vault-example exec -it vault-example-0 sh 
+vault secrets enable -path=secret/ kv
+vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd
+exit
+```
--- a/hashicorp/vault/policies/app-policy.md
+++ b/hashicorp/vault/policies/app-policy.md
@ -1,15 +0,0 @@
-# Create an App policy
-
-```
-kubectl -n vault-example exec -it vault-example-0 sh
-
-cat <<EOF > /home/vault/app-policy.hcl
-path "secret*" {
-  capabilities = ["read"]
-}
-EOF
-
-vault login
-vault policy write app /home/vault/app-policy.hcl
-
-```
--- a/hashicorp/vault/policies/example-secret.md
+++ b/hashicorp/vault/policies/example-secret.md
@ -1,11 +0,0 @@
-# Create example secret
-
-```
-kubectl -n vault-example exec -it vault-example-0 sh
-
-vault login
-
-vault secrets enable -path=secret/ kv
-vault kv put secret/helloworld username=foobaruser password=foobarbazpass
-
-```
--- a/hashicorp/vault/policies/vault-enable-auth-k8s.md
+++ b/hashicorp/vault/policies/vault-enable-auth-k8s.md
@ -1,20 +0,0 @@
-# Enable Kubernetes Vault Auth
-
-```
-kubectl -n vault-example exec -it vault-example-0 sh
-
-vault login
-vault auth enable kubernetes
-
-vault write auth/kubernetes/config \
-   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
-   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-
-vault write auth/kubernetes/role/myapp \
-   bound_service_account_names=app \
-   bound_service_account_namespaces=vault-example \
-   policies=app \
-   ttl=1h
-
-```