marko/docker-development-youtube-series
1
0
Fork 0
mirror of https://github.com/marcel-dempers/docker-development-youtube-series.git synced 2025-06-06 17:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

dynamic secret injection

Browse Source
This commit is contained in:
marcel-dempers 2020-03-04 15:38:24 +11:00
parent e711ed29fa
commit c12a0f1443
5 changed files with 122 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hashicorp/vault/example-apps/basic-secret/readme.md
View File

@ -7,7 +7,9 @@ In order for us to start using secrets in vault, we need to setup a policy.
``` ```
#Create a role for our app #Create a role for our app
kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \ kubectl -n vault-example exec -it vault-example-0 sh
vault write auth/kubernetes/role/basic-secret-role \
bound_service_account_names=basic-secret \ bound_service_account_names=basic-secret \
bound_service_account_namespaces=vault-example \ bound_service_account_namespaces=vault-example \
policies=basic-secret-policy \ policies=basic-secret-policy \
@ -44,4 +46,5 @@ Lets deploy our app and see if it works:
``` ```
kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml
kubectl -n vault-example get pods
``` ```

38
hashicorp/vault/example-apps/dynamic-postgresql/deployment.yaml Normal file
View File

@ -0,0 +1,38 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: dynamic-postgres
labels:
app: dynamic-postgres
spec:
selector:
matchLabels:
app: dynamic-postgres
replicas: 1
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/tls-skip-verify: "true"
vault.hashicorp.com/agent-inject-secret-sql-role: "database/creds/sql-role"
vault.hashicorp.com/agent-inject-template-sql-role: |
{
{{- with secret "database/creds/sql-role" -}}
"db_connection": "host=postgres.postgress port=5432 user={{ .Data.username }} password={{ .Data.password }} dbname=postgresdb sslmode=disable"
{{- end }}
}
vault.hashicorp.com/role: "sql-role"
labels:
app: dynamic-postgres
spec:
serviceAccountName: dynamic-postgres
containers:
- name: app
image: jweissig/app:0.0.1
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynamic-postgres
labels:
app: dynamic-postgres

34
hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml
View File

@ -1,13 +1,13 @@
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
  name: postgres-config name: postgres-config
  labels: labels:
    app: postgres app: postgres
data: data:
  POSTGRES_DB: postgresdb POSTGRES_DB: postgresdb
  POSTGRES_USER: postgresadmin POSTGRES_USER: postgresadmin
  POSTGRES_PASSWORD: admin123 POSTGRES_PASSWORD: admin123
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@ -32,10 +32,18 @@ spec:
envFrom: envFrom:
- configMapRef: - configMapRef:
name: postgres-config name: postgres-config
# volumeMounts: ---
# - mountPath: /var/lib/postgresql/data apiVersion: v1
# name: postgredb kind: Service
# volumes: metadata:
# - name: postgredb name: postgres
# persistentVolumeClaim: labels:
# claimName: postgres-pv-claim app: postgres
spec:
selector:
app: postgres
ports:
- protocol: TCP
name: http
port: 5432
targetPort: 5432

89
hashicorp/vault/example-apps/dynamic-postgresql/readme.md
View File

@ -1,68 +1,79 @@
# Dynamic Secret Creation [PostgreSQL] # Dynamic Secret Creation [PostgreSQL]
Deploy our test database
```
kubectl create ns postgres
kubectl -n postgres apply -f ./hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml
kubectl -n postgres get pods
kubectl -n postgres exec -it <podname> bash
psql --username=postgresadmin postgresdb
```
```
Enable the database engine Enable the database engine
``` ```
kubectl -n vault-example exec -it vault-example-0 vault login kubectl -n vault-example exec -it vault-example-0 vault login
kubectl -n vault-example exec -it vault-example-0 vault secrets enable database kubectl -n vault-example exec -it vault-example-0 vault secrets enable database
```
#map connection details to a role ## Configure DB Credential creation
kubectl -n vault-example exec -it vault-example-0 vault write database/config/my-postgresql-database \
```
kubectl -n vault-example exec -it vault-example-0 sh
vault write database/config/postgresdb \
plugin_name=postgresql-database-plugin \ plugin_name=postgresql-database-plugin \
allowed_roles="my-role" \ allowed_roles="sql-role" \
connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \ connection_url="postgresql://{{username}}:{{password}}@postgres.postgres:5432/postgresdb?sslmode=disable" \
username="root" \ username="postgresadmin" \
password="root" password="admin123"
#create the role vault write database/roles/sql-role \
kubectl -n vault-example exec -it vault-example-0 vault write database/roles/my-role \ db_name=postgresdb \
db_name=my-postgresql-database \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \ default_ttl="1h" \
max_ttl="24h" max_ttl="24h"
``` #test
vault read database/creds/sql-role
``` ```
#Create a role for our app
kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \ ## Example Application
bound_service_account_names=basic-secret \
bound_service_account_namespaces=vault-example \ Create a policy to control access to secrets
policies=basic-secret-policy \
ttl=1h ```
kubectl -n vault-example exec -it vault-example-0 sh
cat <<EOF > /home/vault/postgres-app-policy.hcl
path "database/creds/sql-role" {
capabilities = ["read"]
}
EOF
vault policy write postgres-app-policy /home/vault/postgres-app-policy.hcl
``` ```
The above maps our Kubernetes service account, used by our pod, to a policy.
Now lets create the policy to map our service account to a bunch of secrets Bind our role to a service account for our application
``` ```
kubectl -n vault-example exec -it vault-example-0 sh kubectl -n vault-example exec -it vault-example-0 sh
cat <<EOF > /home/vault/app-policy.hcl
path "secret/basic-secret/*" {
capabilities = ["read"]
}
EOF
vault policy write basic-secret-policy /home/vault/app-policy.hcl
exit
```
Now our service account for our pod can access all secrets under `secret/basic-secret/*`
Lets create some secrets.
vault write auth/kubernetes/role/sql-role \
bound_service_account_names=dynamic-postgres \
bound_service_account_namespaces=vault-example \
policies=postgres-app-policy \
ttl=1h
```
kubectl -n vault-example exec -it vault-example-0 sh
vault secrets enable -path=secret/ kv
vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd
exit
``` ```
Lets deploy our app and see if it works: kubectl -n vault-example apply -f .\hashicorp\vault\example-apps\dynamic-postgresql\deployment.yaml
```
kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml
```

11
hashicorp/readme.md → hashicorp/vault/readme.md
View File

@ -8,6 +8,7 @@ It's critical because we'll need certain [admission controllers](https://kuberne
To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup. To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup.
``` ```
#Windows
kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62 kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
#Linux #Linux
@ -27,6 +28,7 @@ Remember not to check-in your TLS to GIT :)
``` ```
kubectl create ns vault-example kubectl create ns vault-example
kubectl -n vault-example apply -f ./hashicorp/vault/server/ kubectl -n vault-example apply -f ./hashicorp/vault/server/
kubectl -n vault-example get pods
``` ```
## Storage ## Storage
@ -44,6 +46,7 @@ if you need to change the storage class, deleve the pvc , edit YAML and re-apply
kubectl -n vault-example exec -it vault-example-0 vault operator init kubectl -n vault-example exec -it vault-example-0 vault operator init
#unseal 3 times #unseal 3 times
kubectl -n vault-example exec -it vault-example-0 vault operator unseal kubectl -n vault-example exec -it vault-example-0 vault operator unseal
kubectl -n vault-example get pods
``` ```
## Depploy the Injector ## Depploy the Injector
@ -53,7 +56,8 @@ VIDEO: <Coming-Soon>
Injector allows pods to automatically get secrets from the vault. Injector allows pods to automatically get secrets from the vault.
``` ```
kubectl -n vault-example apply -f ./hashicorp/vault/injector\ kubectl -n vault-example apply -f ./hashicorp/vault/injector/
kubectl -n vault-example get pods
``` ```
## Injector Kubernetes Auth Policy ## Injector Kubernetes Auth Policy
@ -70,6 +74,9 @@ vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
exit
kubectl -n vault-example get pods
``` ```
@ -91,7 +98,7 @@ Objective:
* Let's create a basic secret in vault manually * Let's create a basic secret in vault manually
* Application consumes the secret automatically * Application consumes the secret automatically
[Try it](./vault/example-apps/basic-secret/readme.md) [Try it](./example-apps/basic-secret/readme.md)