Skip to content

Latest commit

 

History

History
203 lines (139 loc) · 4.73 KB

readme.md

File metadata and controls

203 lines (139 loc) · 4.73 KB

Hashicorp Vault Guide

introduction hashicorp vault

Requirements:

  • Kubernetes 1.21
  • Kind or Minikube

For this tutorial, I will be using Kubernetes 1.21. If you are watching the old guide for Kubernetes 1.17, go here

Lets create a Kubernetes cluster to play with using kind

cd hashicorp/vault-2022

kind create cluster --name vault --image kindest/node:v1.21.1 --config kind.yaml

Next up, I will be running a small container where I will be doing all the work from: You can skip this part if you already have kubectl and helm on your machine.

docker run -it --rm --net host -v ${HOME}/.kube/:/root/.kube/ -v ${PWD}:/work -w /work alpine sh

Install kubectl

apk add --no-cache curl
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
chmod +x ./kubectl
mv ./kubectl /usr/local/bin/kubectl

Install helm

curl -LO https://get.helm.sh/helm-v3.7.2-linux-amd64.tar.gz
tar -C /tmp/ -zxvf helm-v3.7.2-linux-amd64.tar.gz
rm helm-v3.7.2-linux-amd64.tar.gz
mv /tmp/linux-amd64/helm /usr/local/bin/helm
chmod +x /usr/local/bin/helm

Now we have helm and kubectl and can access our kind cluster:

kubectl get nodes
NAME                  STATUS   ROLES                  AGE   VERSION
vault-control-plane   Ready    control-plane,master   37s   v1.21.1

Let's add the Helm repositories, so we can access the Kubernetes manifests

helm repo add hashicorp https://helm.releases.hashicorp.com

Storage: Consul

We will use a very basic Consul cluster for our Vault backend.
Let's find what versions of Consul are available:

helm search repo hashicorp/consul --versions

We can use chart 0.39.0 which is the latest at the time of this demo Let's create a manifests folder and grab the YAML:


mkdir manifests

helm template consul hashicorp/consul \
  --namespace vault \
  --version 0.39.0 \
  -f consul-values.yaml \
  > ./manifests/consul.yaml

Deploy the consul services:

kubectl create ns vault
kubectl -n vault apply -f ./manifests/consul.yaml
kubectl -n vault get pods

TLS End to End Encryption

See steps in ./tls/ssl_generate_self_signed.md You'll need to generate TLS certs (or bring your own) Remember not to check-in your TLS to GIT :)

Create the TLS secret

kubectl -n vault create secret tls tls-ca \
 --cert ./tls/ca.pem  \
 --key ./tls/ca-key.pem

kubectl -n vault create secret tls tls-server \
  --cert ./tls/vault.pem \
  --key ./tls/vault-key.pem

Generate Kubernetes Manifests

Let's find what versions of vault are available:

helm search repo hashicorp/vault --versions

In this demo I will use the 0.22.0 chart

Let's firstly create a values file to customize vault. Let's grab the manifests:

helm template vault hashicorp/vault \
  --namespace vault \
  --version 0.19.0 \
  -f vault-values.yaml \
  > ./manifests/vault.yaml

Deployment

kubectl -n vault apply -f ./manifests/vault.yaml
kubectl -n vault get pods

Initialising Vault

kubectl -n vault exec -it vault-0 -- sh
kubectl -n vault exec -it vault-1 -- sh
kubectl -n vault exec -it vault-2 -- sh

vault operator init
vault operator unseal

kubectl -n vault exec -it vault-0 -- vault status
kubectl -n vault exec -it vault-1 -- vault status
kubectl -n vault exec -it vault-2 -- vault status

Web UI

Let's checkout the web UI:

kubectl -n vault get svc
kubectl -n vault port-forward svc/vault-ui 443:8200

Now we can access the web UI here

Enable Kubernetes Authentication

For the injector to be authorised to access vault, we need to enable K8s auth

kubectl -n vault exec -it vault-0 -- sh 

vault login
vault auth enable kubernetes

vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
issuer="https://kubernetes.default.svc.cluster.local"
exit

Summary

So we have a vault, an injector, TLS end to end, stateful storage. The injector can now inject secrets for pods from the vault.

Now we are ready to use the platform for different types of secrets:

Secret Injection Guides

Basic Secrets

Objective:

  • Let's create a basic secret in vault manually
  • Application consumes the secret automatically

Try it