mirror of
https://github.com/marcel-dempers/docker-development-youtube-series.git
synced 2025-06-06 17:01:30 +00:00
dynamic secret injection
This commit is contained in:
marcel-dempers
parent
e711ed29fa
commit
c12a0f1443
@ -7,7 +7,9 @@ In order for us to start using secrets in vault, we need to setup a policy.
|
||||
```
|
||||
#Create a role for our app
|
||||
|
||||
kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \
|
||||
kubectl -n vault-example exec -it vault-example-0 sh
|
||||
|
||||
vault write auth/kubernetes/role/basic-secret-role \
|
||||
bound_service_account_names=basic-secret \
|
||||
bound_service_account_namespaces=vault-example \
|
||||
policies=basic-secret-policy \
|
||||
@ -44,4 +46,5 @@ Lets deploy our app and see if it works:
|
||||
|
||||
```
|
||||
kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml
|
||||
kubectl -n vault-example get pods
|
||||
```
|
||||
@ -0,0 +1,38 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: dynamic-postgres
|
||||
labels:
|
||||
app: dynamic-postgres
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: dynamic-postgres
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
vault.hashicorp.com/agent-inject: "true"
|
||||
vault.hashicorp.com/tls-skip-verify: "true"
|
||||
vault.hashicorp.com/agent-inject-secret-sql-role: "database/creds/sql-role"
|
||||
vault.hashicorp.com/agent-inject-template-sql-role: |
|
||||
{
|
||||
{{- with secret "database/creds/sql-role" -}}
|
||||
"db_connection": "host=postgres.postgress port=5432 user={{ .Data.username }} password={{ .Data.password }} dbname=postgresdb sslmode=disable"
|
||||
{{- end }}
|
||||
}
|
||||
vault.hashicorp.com/role: "sql-role"
|
||||
labels:
|
||||
app: dynamic-postgres
|
||||
spec:
|
||||
serviceAccountName: dynamic-postgres
|
||||
containers:
|
||||
- name: app
|
||||
image: jweissig/app:0.0.1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: dynamic-postgres
|
||||
labels:
|
||||
app: dynamic-postgres
|
||||
@ -1,13 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: postgres-config
|
||||
labels:
|
||||
app: postgres
|
||||
name: postgres-config
|
||||
labels:
|
||||
app: postgres
|
||||
data:
|
||||
POSTGRES_DB: postgresdb
|
||||
POSTGRES_USER: postgresadmin
|
||||
POSTGRES_PASSWORD: admin123
|
||||
POSTGRES_DB: postgresdb
|
||||
POSTGRES_USER: postgresadmin
|
||||
POSTGRES_PASSWORD: admin123
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
@ -32,10 +32,18 @@ spec:
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: postgres-config
|
||||
# volumeMounts:
|
||||
# - mountPath: /var/lib/postgresql/data
|
||||
# name: postgredb
|
||||
# volumes:
|
||||
# - name: postgredb
|
||||
# persistentVolumeClaim:
|
||||
# claimName: postgres-pv-claim
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: postgres
|
||||
labels:
|
||||
app: postgres
|
||||
spec:
|
||||
selector:
|
||||
app: postgres
|
||||
ports:
|
||||
- protocol: TCP
|
||||
name: http
|
||||
port: 5432
|
||||
targetPort: 5432
|
||||
@ -1,68 +1,79 @@
|
||||
# Dynamic Secret Creation [PostgreSQL]
|
||||
|
||||
Deploy our test database
|
||||
|
||||
|
||||
```
|
||||
kubectl create ns postgres
|
||||
kubectl -n postgres apply -f ./hashicorp/vault/example-apps/dynamic-postgresql/postgres.yaml
|
||||
kubectl -n postgres get pods
|
||||
|
||||
kubectl -n postgres exec -it <podname> bash
|
||||
psql --username=postgresadmin postgresdb
|
||||
```
|
||||
|
||||
```
|
||||
Enable the database engine
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 vault login
|
||||
kubectl -n vault-example exec -it vault-example-0 vault secrets enable database
|
||||
```
|
||||
|
||||
#map connection details to a role
|
||||
kubectl -n vault-example exec -it vault-example-0 vault write database/config/my-postgresql-database \
|
||||
## Configure DB Credential creation
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 sh
|
||||
|
||||
vault write database/config/postgresdb \
|
||||
plugin_name=postgresql-database-plugin \
|
||||
allowed_roles="my-role" \
|
||||
connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \
|
||||
username="root" \
|
||||
password="root"
|
||||
allowed_roles="sql-role" \
|
||||
connection_url="postgresql://{{username}}:{{password}}@postgres.postgres:5432/postgresdb?sslmode=disable" \
|
||||
username="postgresadmin" \
|
||||
password="admin123"
|
||||
|
||||
#create the role
|
||||
kubectl -n vault-example exec -it vault-example-0 vault write database/roles/my-role \
|
||||
db_name=my-postgresql-database \
|
||||
vault write database/roles/sql-role \
|
||||
db_name=postgresdb \
|
||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
|
||||
default_ttl="1h" \
|
||||
max_ttl="24h"
|
||||
|
||||
```
|
||||
#test
|
||||
vault read database/creds/sql-role
|
||||
|
||||
```
|
||||
#Create a role for our app
|
||||
|
||||
kubectl -n vault-example exec -it vault-example-0 vault write auth/kubernetes/role/basic-secret-role \
|
||||
bound_service_account_names=basic-secret \
|
||||
bound_service_account_namespaces=vault-example \
|
||||
policies=basic-secret-policy \
|
||||
ttl=1h
|
||||
## Example Application
|
||||
|
||||
Create a policy to control access to secrets
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 sh
|
||||
|
||||
cat <<EOF > /home/vault/postgres-app-policy.hcl
|
||||
path "database/creds/sql-role" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOF
|
||||
|
||||
vault policy write postgres-app-policy /home/vault/postgres-app-policy.hcl
|
||||
|
||||
```
|
||||
|
||||
The above maps our Kubernetes service account, used by our pod, to a policy.
|
||||
Now lets create the policy to map our service account to a bunch of secrets
|
||||
|
||||
Bind our role to a service account for our application
|
||||
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 sh
|
||||
cat <<EOF > /home/vault/app-policy.hcl
|
||||
path "secret/basic-secret/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOF
|
||||
vault policy write basic-secret-policy /home/vault/app-policy.hcl
|
||||
exit
|
||||
```
|
||||
|
||||
Now our service account for our pod can access all secrets under `secret/basic-secret/*`
|
||||
Lets create some secrets.
|
||||
|
||||
vault write auth/kubernetes/role/sql-role \
|
||||
bound_service_account_names=dynamic-postgres \
|
||||
bound_service_account_namespaces=vault-example \
|
||||
policies=postgres-app-policy \
|
||||
ttl=1h
|
||||
|
||||
```
|
||||
kubectl -n vault-example exec -it vault-example-0 sh
|
||||
vault secrets enable -path=secret/ kv
|
||||
vault kv put secret/basic-secret/helloworld username=dbuser password=sUp3rS3cUr3P@ssw0rd
|
||||
exit
|
||||
```
|
||||
|
||||
Lets deploy our app and see if it works:
|
||||
|
||||
```
|
||||
kubectl -n vault-example apply -f ./hashicorp/vault/example-apps/basic-secret/deployment.yaml
|
||||
```
|
||||
kubectl -n vault-example apply -f .\hashicorp\vault\example-apps\dynamic-postgresql\deployment.yaml
|
||||
@ -8,6 +8,7 @@ It's critical because we'll need certain [admission controllers](https://kuberne
|
||||
To get 1.17 for Linux\Windows, just use `kind` since you can create a 1.17 with admissions all setup.
|
||||
|
||||
```
|
||||
#Windows
|
||||
kind create cluster --name vault --image kindest/node:v1.17.0@sha256:9512edae126da271b66b990b6fff768fbb7cd786c7d39e86bdf55906352fdf62
|
||||
|
||||
#Linux
|
||||
@ -27,6 +28,7 @@ Remember not to check-in your TLS to GIT :)
|
||||
```
|
||||
kubectl create ns vault-example
|
||||
kubectl -n vault-example apply -f ./hashicorp/vault/server/
|
||||
kubectl -n vault-example get pods
|
||||
```
|
||||
|
||||
## Storage
|
||||
@ -44,6 +46,7 @@ if you need to change the storage class, deleve the pvc , edit YAML and re-apply
|
||||
kubectl -n vault-example exec -it vault-example-0 vault operator init
|
||||
#unseal 3 times
|
||||
kubectl -n vault-example exec -it vault-example-0 vault operator unseal
|
||||
kubectl -n vault-example get pods
|
||||
```
|
||||
|
||||
## Depploy the Injector
|
||||
@ -53,7 +56,8 @@ VIDEO: <Coming-Soon>
|
||||
Injector allows pods to automatically get secrets from the vault.
|
||||
|
||||
```
|
||||
kubectl -n vault-example apply -f ./hashicorp/vault/injector\
|
||||
kubectl -n vault-example apply -f ./hashicorp/vault/injector/
|
||||
kubectl -n vault-example get pods
|
||||
```
|
||||
|
||||
## Injector Kubernetes Auth Policy
|
||||
@ -70,6 +74,9 @@ vault write auth/kubernetes/config \
|
||||
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
|
||||
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
|
||||
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
exit
|
||||
|
||||
kubectl -n vault-example get pods
|
||||
|
||||
```
|
||||
|
||||
@ -91,7 +98,7 @@ Objective:
|
||||
* Let's create a basic secret in vault manually
|
||||
* Application consumes the secret automatically
|
||||
|
||||
[Try it](./vault/example-apps/basic-secret/readme.md)
|
||||
[Try it](./example-apps/basic-secret/readme.md)
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user