In my last post I gave an overview of how you can use vault and kubernetes together. In this post I want to show how to use vaultconf to configure credentials for your kubernetes applications so they can read secrets from vault.
Before you start you will need:
- Vault v0.3
- A kubernetes cluster, with local configuration allowing you to talk to the API
- Docker
Configuration documents
vaultconf is designed to allow you to reconcile users and policies between configuration files and vault. Lets look at how to set these up:
Policy configuration
Policies set out rules for what can be accessed in vault. Policies should all be contained in a policies folder, whose structure should look like this (replacing the names with whatever you like):
- policies
- mynamespace1
- policy1.yaml
- policy2.yaml
- mynamespace2
- policy3.yaml
User configuration
Users should be contained in a users.yaml file. It defines which users you want in which namespaces, and what policies those users should have. Again you will find an example in the github repo.
Vault server
If you haven't got a vault server setup you can start one easily by running:
$ vault server -dev
Vault setup
Before you are able to use vaultconf you will first need some things setup in vault:
- Set your VAULT_ADDR and authenticate yourself. If using the dev vault server simply do:
$ export VAULT_ADDR=http://127.0.0.1:8200
- Enable the userpass auth backend:
$ vault auth-enable userpass
- Create a user for yourself with root access:
$ vault write auth/userpass/users/myusername password=mypassword policies=root
Kubernetes setup
Before using vaultconf ensure your kubernetes context is set to use the cluster you want the username and password secrets adding to. You will also need to ensure any namespaces are already created within this cluster.
Creating policies
The following command will add your policies to vault. Note the --net=host is only needed if you're connecting to a vault server running on your local machine.
$ docker run --net=host -v test/resources/policies:/policies quay.io/timgent/vaultconf:v0.1 policies -c /policies -u myusername -p mypassword -a http://localhost:8200
You should now be able to see your policies in vault:
$ vault policies
dev_myproject_reader
dev_myproject_writer
uat_anotherproject_apolicy
uat_myproject_reader
uat_myproject_writer
root
dev_myproject_writer
uat_anotherproject_apolicy
uat_myproject_reader
uat_myproject_writer
root
Creating users
IMPORTANT NOTE!
vaultconf will add kubernetes secrets for the vault usernames and passwords on whichever kubernetes cluster your .kube/config file is currently set to use.
$ docker run --net=host -v ~/.kube:/root/.kube -v ~/WORK/vaultconf/test/resources/users:/users
quay.io/timgent/vaultconf:v0.1
users -c /users/users.yaml -u myusername -p mypassword -a http://localhost:8200
You should now be able to see the secrets in kubernetes:
kubectl --namespace=dev-myproject get secrets
NAME TYPE DATA
mrread-vault Opaque 1
mrwrite-vault Opaque 1
Using the things you've created
Your applications can now mount in these secrets to gain their credentials for accessing vault. The file will look something like:
{"username":"myNamespace_testUser","password":"testPassword","method":"userpass"}
I hope to follow up with an example of how the vault-sidekick container can then use these credentials to talk to vault and make secrets available to your applications.
I'd really benefit a great deal from that second write-up about using vault-sidekick. Any chances of seeing that post soon?
ReplyDeleteNot immediately as we've had to take a different approach on my current project so I've not used it. However the docs should be in pretty good shape:
DeleteVault Sidekick
Please do raise issues on the repo if anything isn't clear or you're having trouble.
You might also be interested in a less sophisticated approach that can sometimes be suitable, using Amazon S3 and KMS.
s3secrets