Sidecar injector

https://learn.hashicorp.com/tutorials/vault/kubernetes-external-vault#deploy-service-and-endpoints-to-address-an-external-vaultlearn.hashicorp.com

Description:

Vault cluster is installed and configured on euwe1c0-gke002 cluster according to the blueprint.

Vault cluster UI and API is reachable via url https://vault.tech.altenar.net:8200

Prerequisites:

On the external cluster create:

  • Namespace (optional)

  • Service account

  • Deployment

cat <<EOF | kubectl create -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: app
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: new-internal-app
  namespace: app
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: orgchart
  namespace: app
  labels:    
    app: orgchart
spec:
  selector:
    matchLabels:
      app: orgchart
  replicas: 1
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-inject-status: 'update'
        vault.hashicorp.com/role: 'new-internal-app'
        vault.hashicorp.com/auth-path: "auth/cluster-name"
        vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
        vault.hashicorp.com/tls-skip-verify: 'true'
        vault.hashicorp.com/service: "https://vault.tech.altenar.net:8200"
        vault.hashicorp.com/agent-inject-template-database-config.txt: |
          {{- with secret "internal/data/database/config" -}}
          postgresql://{{ .Data.data.username }}:{{ .Data.data.password }}@postgres:5432/wizard
          {{- end -}}
      labels:
        app: orgchart
    spec:
      serviceAccountName: new-internal-app
      containers:
        - name: orgchart
          image: jweissig/app:0.0.1
EOF

Configuration steps:

1 Install vault helm chart on the application cluster: 

helm install vault hashicorp/vault \
    --set "injector.externalVaultAddr=https://vault.tech.altenar.net:8200"

Configure Kubernetes authentication on the vault server 

kubectl -n vault exec -it vault-0 -- /bin/sh 
export VAULT_TOKEN=**********************
vault auth enable --path="cluster-name" kubernetes

3. On the app cluster:

First, get the JSON web token (JWT) from the secret. 

$ TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME --output='go-template={{ .data.token }}' | base64 --decode)

Next, retrieve the Kubernetes CA certificate.

$ KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)

Next, retrieve the Kubernetes host URL.

$ KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

4. Exec to vault pod and configure authentication method

kubectl -n vault exec -it vault-0 -- /bin/sh 
export VAULT_TOKEN=**********************
vault write auth/cluster-name/config \
        token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
        kubernetes_host="$KUBE_HOST" \
        kubernetes_ca_cert="$KUBE_CA_CERT" \

5. check the configuration

1vault read auth/cluster-name/config

6. Create a Kubernetes authentication role

vault write auth/kubernetes/role/new-internal-app \
    bound_service_account_names=new-internal-app \
    bound_service_account_namespaces=app \
    policies=internal-app \
    ttl=96h

7. Restart the deployment on the app cluster

rollout restart deployment orgchart

8. Display the secret written to the website container in the website pod.

kubectl exec \
    $(kubectl get pod -l app=website -o jsonpath="{.items[0].metadata.name}") \
    --container website -- cat /vault/secrets/database-config.txt; echo
postgresql://db-readonly-user:db-secret-password@postgres:5432/wizard
LogoVault on Kubernetes: Part 2 - Multiple k8s, templates and external IPsFresh Brewed Science
PreviousMedusa testNextCode testing

Last updated

Was this helpful?