diff --git a/hashicorp/vault/example-apps/basic-secret/readme.md b/hashicorp/vault/example-apps/basic-secret/readme.md index 693ea9e..09bae17 100644 --- a/hashicorp/vault/example-apps/basic-secret/readme.md +++ b/hashicorp/vault/example-apps/basic-secret/readme.md @@ -7,7 +7,9 @@ In order for us to start using secrets in vault, we need to setup a policy. ``` #Create a role for our app -kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \ +kubectl -n vault-example exec -it vault-example-0 sh + +vault write auth/kubernetes/role/basic-secret-role \ bound_service_account_names=basic-secret \ bound_service_account_namespaces=vault-example \ policies=basic-secret-policy \ @@ -44,4 +46,5 @@ Lets deploy our app and see if it works: ``` kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml +kubectl -n vault-example get pods ``` \ No newline at end of file diff --git a/hashicorp/vault/example-apps/dynamic-postgresql/deployment.yaml b/hashicorp/vault/example-apps/dynamic-postgresql/deployment.yaml new file mode 100644 index 0000000..d57d3d4 --- /dev/null +++ b/hashicorp/vault/example-apps/dynamic-postgresql/deployment.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dynamic-postgres + labels: + app: dynamic-postgres +spec: + selector: + matchLabels: + app: dynamic-postgres + replicas: 1 + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/tls-skip-verify: "true" + vault.hashicorp.com/agent-inject-secret-sql-role: "database/creds/sql-role" + vault.hashicorp.com/agent-inject-template-sql-role: | + { + {{- with secret "database/creds/sql-role" -}} + "db_connection": "host=postgres.postgress port=5432 user={{ .Data.username }} password={{ .Data.password }} dbname=postgresdb sslmode=disable" + {{- end }} + } + vault.hashicorp.com/role: "sql-role" + labels: + app: dynamic-postgres + spec: + serviceAccountName: dynamic-postgres + containers: + - name: app + image: jweissig/app:0.0.1 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dynamic-postgres + labels: + app: dynamic-postgres \ No newline at end of file diff --git a/hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml b/hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml index 467bb11..4010743 100644 --- a/hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml +++ b/hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: ConfigMap metadata: -  name: postgres-config -  labels: -    app: postgres + name: postgres-config + labels: + app: postgres data: -  POSTGRES_DB: postgresdb -  POSTGRES_USER: postgresadmin -  POSTGRES_PASSWORD: admin123 + POSTGRES_DB: postgresdb + POSTGRES_USER: postgresadmin + POSTGRES_PASSWORD: admin123 --- apiVersion: apps/v1 kind: Deployment @@ -32,10 +32,18 @@ spec: envFrom: - configMapRef: name: postgres-config - # volumeMounts: - # - mountPath: /var/lib/postgresql/data - # name: postgredb - # volumes: - # - name: postgredb - # persistentVolumeClaim: - # claimName: postgres-pv-claim \ No newline at end of file +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres + labels: + app: postgres +spec: + selector: + app: postgres + ports: + - protocol: TCP + name: http + port: 5432 + targetPort: 5432 \ No newline at end of file diff --git a/hashicorp/vault/example-apps/dynamic-postgresql/readme.md b/hashicorp/vault/example-apps/dynamic-postgresql/readme.md index ea75f31..425f3c5 100644 --- a/hashicorp/vault/example-apps/dynamic-postgresql/readme.md +++ b/hashicorp/vault/example-apps/dynamic-postgresql/readme.md @@ -1,68 +1,79 @@ # Dynamic Secret Creation [PostgreSQL] +Deploy our test database + +``` +kubectl create ns postgres +kubectl -n postgres apply -f ./hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml +kubectl -n postgres get pods + +kubectl -n postgres exec -it bash +psql --username=postgresadmin postgresdb +``` + +``` Enable the database engine ``` kubectl -n vault-example exec -it vault-example-0 vault login kubectl -n vault-example exec -it vault-example-0 vault secrets enable database +``` -#map connection details to a role -kubectl -n vault-example exec -it vault-example-0 vault write database/config/my-postgresql-database \ +## Configure DB Credential creation + +``` +kubectl -n vault-example exec -it vault-example-0 sh + +vault write database/config/postgresdb \ plugin_name=postgresql-database-plugin \ - allowed_roles="my-role" \ - connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \ - username="root" \ - password="root" + allowed_roles="sql-role" \ + connection_url="postgresql://{{username}}:{{password}}@postgres.postgres:5432/postgresdb?sslmode=disable" \ + username="postgresadmin" \ + password="admin123" -#create the role -kubectl -n vault-example exec -it vault-example-0 vault write database/roles/my-role \ - db_name=my-postgresql-database \ + vault write database/roles/sql-role \ + db_name=postgresdb \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl="1h" \ max_ttl="24h" -``` +#test +vault read database/creds/sql-role ``` -#Create a role for our app -kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \ - bound_service_account_names=basic-secret \ - bound_service_account_namespaces=vault-example \ - policies=basic-secret-policy \ - ttl=1h +## Example Application + +Create a policy to control access to secrets + +``` +kubectl -n vault-example exec -it vault-example-0 sh + +cat < /home/vault/postgres-app-policy.hcl +path "database/creds/sql-role" { + capabilities = ["read"] +} +EOF + +vault policy write postgres-app-policy /home/vault/postgres-app-policy.hcl + ``` -The above maps our Kubernetes service account, used by our pod, to a policy. -Now lets create the policy to map our service account to a bunch of secrets + +Bind our role to a service account for our application ``` kubectl -n vault-example exec -it vault-example-0 sh -cat < /home/vault/app-policy.hcl -path "secret/basic-secret/*" { - capabilities = ["read"] -} -EOF -vault policy write basic-secret-policy /home/vault/app-policy.hcl -exit -``` - -Now our service account for our pod can access all secrets under `secret/basic-secret/*` -Lets create some secrets. +vault write auth/kubernetes/role/sql-role \ + bound_service_account_names=dynamic-postgres \ + bound_service_account_namespaces=vault-example \ + policies=postgres-app-policy \ + ttl=1h -``` -kubectl -n vault-example exec -it vault-example-0 sh -vault secrets enable -path=secret/ kv -vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd -exit ``` -Lets deploy our app and see if it works: - -``` -kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml -``` \ No newline at end of file +kubectl -n vault-example apply -f .\hashicorp\vault\example-apps\dynamic-postgresql\deployment.yaml \ No newline at end of file diff --git a/hashicorp/readme.md b/hashicorp/vault/readme.md similarity index 91% rename from hashicorp/readme.md rename to hashicorp/vault/readme.md index afee566..1e5a5c2 100644 --- a/hashicorp/readme.md +++ b/hashicorp/vault/readme.md @@ -8,6 +8,7 @@ It's critical because we'll need certain [admission controllers](https://kuberne To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup. ``` +#Windows kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62 #Linux @@ -27,6 +28,7 @@ Remember not to check-in your TLS to GIT :) ``` kubectl create ns vault-example kubectl -n vault-example apply -f ./hashicorp/vault/server/ +kubectl -n vault-example get pods ``` ## Storage @@ -44,6 +46,7 @@ if you need to change the storage class, deleve the pvc , edit YAML and re-apply kubectl -n vault-example exec -it vault-example-0 vault operator init #unseal 3 times kubectl -n vault-example exec -it vault-example-0 vault operator unseal +kubectl -n vault-example get pods ``` ## Depploy the Injector @@ -53,7 +56,8 @@ VIDEO: Injector allows pods to automatically get secrets from the vault. ``` -kubectl -n vault-example apply -f ./hashicorp/vault/injector\ +kubectl -n vault-example apply -f ./hashicorp/vault/injector/ +kubectl -n vault-example get pods ``` ## Injector Kubernetes Auth Policy @@ -70,6 +74,9 @@ vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt +exit + +kubectl -n vault-example get pods ``` @@ -91,7 +98,7 @@ Objective: * Let's create a basic secret in vault manually * Application consumes the secret automatically -[Try it](./vault/example-apps/basic-secret/readme.md) +[Try it](./example-apps/basic-secret/readme.md)