Skip to content
Zachary Seguin edited this page Dec 4, 2020 · 4 revisions

This document outlines how the Data Analytics as a Service (DAaaS) project is using Vault to manage secrets.

Custom Vault image

Our setup uses a custom Vault image to add a plugin which will generate MinIO credentials dynamically. The dockerfile which generates this is:

FROM golang:1.14.2-stretch AS build

# Set workdir

# Add dependencies
COPY go.mod .
COPY go.sum .
RUN go mod download

# Build
COPY . .
RUN CGO_ENABLED=0 go build ./cmd/vault-plugin-secrets-minio

FROM vault:1.4.0
COPY --from=build /work/vault-plugin-secrets-minio /plugins/vault-plugin-secrets-minio

Vault auto-unseal

Vault is setup to auto-unseal itself via an Azure Managed Identity assigned to the pod via AAD Pod Identity, and a key stored in an Azure Key Vault.

The sequence of events is:

  1. At pod creation, a pod annotation indicate the AAD Pod Identity to assign the Managed Identity to the pod aadpodidbinding=vault
  2. Vault is started and requests the Managed Identity token. This request is intercepted by AAD Pod Identity who performs the request to Azure and returns the token
  3. The returned token is utilized to connect to the Azure Key Vault which contains the decryption key for the information stored in the Storage Account
  4. With the Azure token and decryption key, Vault connects to the Storage Account and reads information stored in a Blob container. The information stored in the container is encrypted (and is decrypted with the key from Key Vault).

Integration with Boathouse

Vault integrates with Boathouse to enable the auto-mount of MinIO backed storage into Notebook containers.

  1. A Notebook is launched in a user's namespace

  2. The goofys-injector webhook is called and adds the volume spec and volume mount for boathouse

      - flexVolume:
          name: $NAME
            bucket: shared
            endpoint: https://MINIO
            gid: "100"
            region: us-east-1
            uid: "1000"
            vault-path: minio_minimal_tenant1/keys/profile-$PROFILE
            vault-ttl: 24h
      - mountPath: /home/jovyan/minio/$INSTANCE/$SHARED_OR_PRIVATE
        name: $NAME
  3. Boathouse flex volume driver (binary at /etc/kubernetes/volumeplugins/, copied there by the boathouse daemonset)

  4. Boathouse flexvolume driver calls boathouse daemonset pod on that node and asks for credentials from Vault

  5. Boathouse daemonset pod contacts Vault and requests credentials, returns them to the flexvolume driver

  6. Flexvolume driver starts goofys with the credentials

  7. Flexvolume driver updates the goofys credentials once per day following the same steps as #5

Common issues

Vault pod startup error

Error parsing Seal configuration: error fetching Azure Key Vault wrapper key information: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://$ StatusCode=403 -- Original Error: adal: Refresh request failed. Status Code = '403'. Response body: failed to refresh token, error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"}

This is normal to see once or twice on startup as the identity is being assigned to the underlying VMSS.

New node: boathouse errors

It is normal to see errors related to boathouse for up to 5 minutes after a node has been added to the cluster. This is because the DaemonSet pod that sets up boathouse is being deployed to the node.

Clone this wiki locally