Skip to content

Commit

Permalink
Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@ledongthuc
ledongthuc committed Jul 20, 2020
1 parent a7e5bef commit 4b4a91a
Show file tree
Hide file tree
Showing 5 changed files with 112 additions and 0 deletions.
1 change: 1 addition & 0 deletions vault/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
unseal.key
cluster-keys.json
67 changes: 67 additions & 0 deletions vault/install-in-k8s/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Install Vault with k8s locally

## Prerequires

- Docker
- K8s (e.g. Minikube)
- Helm

## 1. Install Consul

This example use consul as default datasource

```
helm repo add hashicorp https://helm.releases.hashicorp.com;
helm install consul hashicorp/consul --values helm-consul-values.yml;
kubectl get pods;
```

## 2. Install Vault

```
helm install vault hashicorp/vault --values helm-vault-values.yml
kubectl get pods
```

## 3. Initialize and unseal Vault

```
kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json;
VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]");
kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY;
kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
kubectl get pods
```

## 5. Add an example secret

```
cat cluster-keys.json | jq -r ".root_token";
kubectl exec -it vault-0 -- /bin/sh;
vault login;
vault secrets enable -path=secret kv-v2;
vault kv put secret/webapp/config username="static-user" password="static-password";
vault kv get secret/webapp/config;
```

## 4. Connect Vault to k8s

```
vault auth enable kubernetes;
vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_444_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt;
vault policy write webapp - <<EOF
path "secret/data/webapp/config" {
capabilities = ["read"]
}
EOF;
vault write auth/kubernetes/role/webapp bound_service_account_names=vault bound_service_account_namespaces=default policies=webapp ttl=24h;
```

## 5. Deploy example k8s pod

```
kubectl apply --filename deployment-01-webapp.yml;
kubectl get pods;
kubectl port-forward $(kubectl get pod -l app=webapp -o jsonpath="{.items[0].metadata.name}") 8080:8080;
```
29 changes: 29 additions & 0 deletions vault/install-in-k8s/deployment-01-webapp.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
labels:
app: webapp
spec:
replicas: 1
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
serviceAccountName: vault
containers:
- name: app
image: burtlo/exampleapp-ruby:k8s
imagePullPolicy: Always
env:
- name: SERVICE_PORT
value: "8080"
- name: JWT_PATH
value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
- name: VAULT_ADDR
value: "http://vault:8200"
11 changes: 11 additions & 0 deletions vault/install-in-k8s/helm-consul-values.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
global:
datacenter: vault-kubernetes-guide

client:
enabled: true

server:
replicas: 1
bootstrapExpect: 1
disruptionBudget:
maxUnavailable: 0
4 changes: 4 additions & 0 deletions vault/install-in-k8s/helm-vault-values.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
server:
affinity: ""
ha:
enabled: true

0 comments on commit 4b4a91a

Please sign in to comment.