Skip to content

Latest commit

 

History

History
282 lines (192 loc) · 5.92 KB

vault.md

File metadata and controls

282 lines (192 loc) · 5.92 KB

HashiCorp Vault

HashiCorp Vault is a secrets management tool that helps to provide secure, automated access to sensitive data. Vault handles leasing, key revocation, key rolling, auditing, and provides secrets as a service through a unified API.

Latest version of Vault.

Vaults own documentation.

Deploying Vault

  1. Create and change directory to infrastructure/base/vault

  2. Create namespace.yaml

kubectl create namespace vault \
  --dry-run=client \
  --output=yaml > namespace.yaml
  1. Create helmrepository.yaml
flux create source helm hashicorp \
    --interval=1h \
    --url=https://helm.releases.hashicorp.com \
    --export > helmrepository.yaml
  1. Create helmrelease.yaml
flux create helmrelease vault \
    --interval=1h \
    --release-name=vault \
    --namespace=vault \
    --target-namespace=vault \
    --source=HelmRepository/hashicorp.flux-system \
    --chart=vault \
    --chart-version=">=0.27.0-0" \
    --export > helmrelease.yaml
  1. Create kustomization.yaml
kustomize create --autodetect
  1. Commit your changes to Git

Connecting to Vault

  1. Port forward the Vault server
kubectl port-forward -n vault svc/vault 8200:8200
  1. Set the VAULT_ADDR environment variable
export VAULT_ADDR=http://localhost:8200
  1. Check the status of Vault
vault status

Initialize Vault

  1. Connect to Vault with Connecting to Vault section

  2. Initialize Vault

vault operator init

Save the root_token and unseal_keys in a safe place.

  1. Unseal Vault (run 3 times) with the keys from the previous command
vault operator unseal <UNSEAL_KEY>

Enabling the Kubernetes Authentication Method

  1. Exec into the Vault pod
kubectl exec -it vault-0 -n vault -- sh
  1. Login to Vault
vault login <ROOT_TOKEN>
  1. Enable the Kubernetes authentication method
vault auth enable kubernetes
  1. Set Variables
export K8S_HOST=https://$KUBERNETES_PORT_443_TCP_ADDR:443 \
  SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) \
  K8S_CACERT_PATH=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
  1. Configure the Kubernetes authentication method
vault write auth/kubernetes/config \
  kubernetes_host="$K8S_HOST" \
  token_reviewer_jwt=$SA_TOKEN \
  kubernetes_ca_cert=@$K8S_CACERT_PATH
  1. Exit the Vault pod
exit

Secrets Engines

You can find all the different secrets engines in HashiCorp's own docs. But here are some common examples.

Vault "Key/Value" Secrets Engine

Enabling the "Key/Value" Secrets Engine

  1. Follow the steps in Enabling the Kubernetes Authentication Method section

  2. Connect to Vault with Connecting to Vault section

  3. Login to Vault

vault login <ROOT_TOKEN>
  1. Enable the secrets engine

With kv-v2 (recommended)

vault secrets enable kv-v2

With kv-v1

vault secrets enable kv

Creating a Secret

  1. Create a Vault Secret

With kv-v2 (recommended)

vault kv put secret/data/api/cred key="<KEY>" secret="<SECRET>"

With kv-v1

vault kv put secret/api/cred key="<KEY>" secret="<SECRET>"

Vault "Database" Secrets Engine

Enabling the "Database" Secrets Engine

Once you have a database up and running, and a vault user with the correct permissions, you can enable the database secrets engine.

  1. Follow the steps in Enabling the Kubernetes Authentication Method section

  2. Connect to Vault with Connecting to Vault section

  3. Login to Vault

vault login <ROOT_TOKEN>
  1. Enable the secrets engine
vault secrets enable database
  1. Configure the database secrets engine
vault write database/config/my-postgres-server-name \
  plugin_name="postgresql-database-plugin" \
  allowed_roles="my-postgres-role" \
  connection_url="postgresql://{{username}}:{{password}}@postgres.postgres.svc.cluster.local:5432/postgres" \
  username="vault" \
  password="vaultpassword" \
  password_authentication="scram-sha-256"
  1. Create a Vault Role for your namespace
vault write database/roles/my-postgres-role \
  db_name="my-postgres-server-name" \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
      GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

Vault "RabbitMQ" Secrets Engine

Enabling the "RabbitMQ" Secrets Engine

Vault RabbitMQ docs

Once you have a RabbitMQ up and running, and a vault user with the correct permissions, you can enable the RabbitMQ secrets engine.

  1. Enable the secrets engine
vault secrets enable rabbitmq
  1. Configure the RabbitMQ secrets engine
vault write rabbitmq/config/connection \
  connection_uri="http://rabbitmq-management.rabbitmq.svc.cluster.local:15672" \
  username="vault" \
  password="password"
  1. Create a Vault Role for your namespace
vault write rabbitmq/roles/my-role \
  vhosts='{"/":{"write": ".*", "read": ".*"}}'

Authenticating your application with Vault

  1. Create a Kubernetes service account
kubectl create serviceaccount vault-auth -n app-namespace
  1. Create a Vault Role
vault write auth/kubernetes/role/app-api-read \
  bound_service_account_names=vault-auth \
  bound_service_account_namespaces=app-namespace \
  policies=app-api-read \
  ttl=1h
  1. Create a policy
vault policy write app-api-read - <<EOF
path "kv/data/app/*" {
  capabilities = ["read"]
}
EOF