This guide will walk you through deploying the Kubernetes Secret Manager.
MySQL is the backend used to demonstrate how to get user accounts dynamically from Vault.
kubectl create -f deployments/mysql.yaml
This project uses Vault from Hashicorp as it's secret backend to dynamically create secrets. A sample Vault deployment is included which should only be utilized as a proof of concept, it is not intended for a production use.
kubectl create -f deployments/vault.yaml
The sample Vault instance included in this project will be running in developer mode which will not require unsealing, however, it will still need to be configured with some policies we'll use later in the demo.
kubectl exec -it <podName> /bin/dumb-init /bin/sh
> setup-vault.sh
Running the above command (setup-vault.sh) will do a couple things. First it will create a mysql backend and write some policies to allow us to request credentials from the MySQL server. Also, it will write a sample static secret which will let us mirror that secret as a Kubernetes secret.
The setup-vault.sh script creates some default policies which are configured in the file myapp.hcl.
A custom ThirdPartyResource is required and is automatically created by the controller.
The secret manager does all the work of talking to Vault to pull out secrets and managing the life of those secrets.
- Get the root token of the Vault instance:
kubectl logs -f <vaultPodName>
- Copy the root token and paste into the kubernetes-secret-manager deployment file under the args section named
-vault-token. - Deploy the secret manage:
kubectl create -f deployments/secret-manager.yaml
Once the ThirdPartyResource is created you can create the custom object which utilized this new resource as well a the sample application:
kubectl create -f sample-app/deployments/sample-app.yaml
In the sample app yaml file outlines the following config parameters:
- secret: Name of the secret to create in Kubernetes
- policy: Policy to request from Vault
To see the sample-app webpage, find the nodeport of the service: kubectl describe svc sample-app
Accessing the sample webpage it will print out the username / password to the screen. Use that to connect to MySQL. When the max lease duration expires, the controller will rotate the token in vault and the app should automatically update.
It's possible to pull secrets using the Generic backend.
- Export your vault token:
export VAULT_TOKEN=b3b8e136-18e8-c286-5c80-e9d62f790814 - Post to vault a secret:
curl -X POST -H "X-Vault-Token:$VAULT_TOKEN" -d '{"bar":"baz"}' http://192.168.64.25:30619/v1/secret/foo - Verify:
curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://192.168.64.25:30619/v1/secret/foo | jq . - Deploy app: `kubectl create -f sample-app/deployments/static-secrets.yaml
- Verify:
kubectl exec -it <podname> cat /secrets/bar(Outputs:baz)